Application Security Risk Assessment

An industry leading approach to securing your organization’s software applications

Based on OWASP’s Application Security Verification Standard (ASVS), our risk assessment services provide an in-depth analysis of your application’s current security posture, providing a clear path forward to securing your organization’s most valuable assets. 

Our AppSec team is built of experienced security engineers with software development backgrounds, who can help you dive deep into your application’s security issues. You can expect extensive knowledge across a wide range of popular programming languages and technologies to help you confidently secure any type of web, mobile or other application. 

Our Process:

1. Discovery

Understanding the architecture of an application is essential to ensuring no potential threats go unnoticed during the assessment process. Our security consultants will work closely with your team to get an understanding of your application to inform our approach. This can include hands-on design workshopping and full documentation for your organization.

2. Threat Modelling

Based on the security design output, threat modelling will be conducted to identify key threat scenarios specific to your application. We use the STRIDE scheme to classify threat scenarios and a DREAD model to assign the specific impact and likelihood levels to determine the risk for each identified issue, which will be reviewed with your team.

3. Pentesting

Using OWASP’s detailed ASVS assurance criteria our security team will build and execute test cases using manual and automated methods in order to verify each threat scenario and identify the actual risks to your business.

Our Output:

Once our process is complete your team can expect a detailed Application Security Risk Assessment (ASRA) report that contains the findings from the threat modelling and security testing exercises.

Our ASRA’s clearly outline security risks based on impact and likelihood, allowing your team to easily prioritize what’s most important to your organization.

This report also comes equipped with recommended controls to support business risk management decisions.

Our Service Packages:
Level 1

Application Security Verification Standard (ASVS)
Level 1 (Apps with low assurance needs)

Manual and Automated Testing
Included

Security Design Baseline
None

Threat Modeling
Basic

Automate Code Analysis
None

Manual Code Analysis
None

Level 2

Application Security Verification Standard (ASVS)
Level 2 (Recommended for most apps)

Manual and Automated Testing
Included

Security Design Baseline
Questionnaire Only

Threat Modeling
Standard

Automate Code Analysis
Optional

Manual Code Analysis
Optional

Level 3

Application Security Verification Standard (ASVS)
Level 3 (Critical apps needing high trust) 

Manual and Automated Testing
Included

Security Design Baseline
Questionare and Security Design Documentation

Threat Modeling
Detailed

Automate Code Analysis
Included

Manual Code Analysis
Optional

Close All

 

Level 1

Application Security Verification Standard (ASVS)
Level 1 (Apps with low assurance needs)

Manual and Automated Testing
Included

Security Design Baseline
None

Threat Modeling
Basic

Automate Code Analysis
None

Manual Code Analysis
None

Duration: 2-4 Weeks

 

Level 2

Application Security Verification Standard (ASVS)
Level 2 (Recommended for most apps)

Manual and Automated Testing
Included

Security Design Baseline
Questionnaire Only

Threat Modeling
Standard

Automate Code Analysis
Optional

Manual Code Analysis
Optional

Duration: 3-6 Weeks

 

Level 3

Application Security Verification Standard (ASVS)
Level 3 (Critical apps needing high trust) 

Manual and Automated Testing
Included

Security Design Baseline
Questionare and Security Design Documentation

Threat Modeling
Detailed

Automate Code Analysis
Included

Manual Code Analysis
Optional

Duration: 4-8 Weeks

Level 1

Level 2

Level 3

» Application Security Verification Standard (ASVS):

Level 1 
(Apps with low assurance needs)

Level 2
(Recommended for most apps)

 

Level 3
(Critical apps needing high trust) 

 

»  Manual and Automated Testing

Included

Included

Included

» Security Design Baseline

None

Questionnaire Only 

Questionare and Security Design Documentation

»  Threat Modeling

Basic

Standard

Detailed

» Automate Code Analysis

None

Optional

Included

» Manual Code Analysis

None

Optional

Optional

» Duration

2 – 4 Weeks

3 – 6 Weeks

4 – 8 Weeks

Talk with us

Get in touch to book a complimentary security consultation