Level II

USD $750.55 per month

Includes all Level 1 services plus a manual web application infiltration test with credentials, plus a remediation test of all remediated findings.

The following description provides an overview of some of the areas that will be evaluated by the tester:

Enumeration / Recognition

This exercise is a precursor to an infiltration test and involves scanning servers and web applications for potential vulnerabilities that could be exploitable. Specifically, we are looking for misconfigurations, vulnerable software, weak credentials and poorly coded software that a hacker could use to infiltrate a server or compromise the application.

Operational testing

In this dual testing phase, Nano Power Digital will seek to (1) exploit any weaknesses or vulnerabilities identified in the servers or web application to breach them from a black box perspective (i.e., without credentials or knowledge of the systems), and (2) we will also analyze the systems using "standard" user credentials (if applicable) to verify possible privileged escalation paths (possibly due to misconfiguration), as well as to ensure that an end customer operates on the portal using a compromised client system that cannot harm the reliability or integrity of the server, application, or data residing on the systems.

Test coverage

The web application infiltration test will cover the "OWASP Top 10" and may include the following high-level categories where applicable to the application:

Injection (defects and attacks)

Broken authentication and session management

Cross-site scripting (XSS)

Unsecured direct object references

Incorrect security settings

Exposure of confidential data

Lack of access control at function level

Cross Site Request Forgery (CSRF)

Known vulnerability tests

Invalid redirects and redirects

Pencil test manual deliverables

Pen Test Reports: After any test, a full detailed report will be made available. The report will describe items such as test methods used, findings, any proof-of-concept code for successful exploits, as well as remediation steps and suggestions.

Exploit proof-of-concept development: In the event of an exploit, breach or risk, Nano Power Digital will document the testing methodology used, record all evidence collected and develop proof-of-concept exploits for repeatable testing.

Remediation Retesting: after infiltration testing, there may be one or more areas of weakness that require reconfiguration, patching or replacement. Nano Power Digital will retest these areas when they are ready and remediation is complete. Retesting is included in this price.