A WASA, sometimes referred to as a web application penetration test or web application security audit, is a process to identify, analyze, and report on vulnerabilities in a web application that could potentially be exploited by attackers.

The goal of a WASA is to uncover security weaknesses and vulnerabilities in a web application before attackers do. The process involves both automated and manual testing techniques and typically includes examining the application for known vulnerabilities, such as those listed in the OWASP Top 10, as well as looking for application-specific security issues.

Here’s a general overview of what a WASA typically involves:

1. Information Gathering: This includes gathering information about the application, its functionality, underlying technologies, and the overall environment in which it operates.
2. Automated Scanning: Automated tools like Dynamic Application Security Testing (DAST) tools are used to scan the application for known vulnerabilities.
3. Manual Testing: In addition to automated scanning, manual testing is performed to uncover vulnerabilities that automated tools might miss. This could include things like business logic flaws or complex multi-step vulnerabilities.
4. Vulnerability Verification: Suspected vulnerabilities are verified to confirm their existence and understand their potential impact.
5. Reporting: A detailed report is generated that lists the identified vulnerabilities, their severity, potential impact, and recommendations for remediation.
6. Remediation and Re-testing: The identified vulnerabilities are remediated, and the application is re-tested to ensure that the vulnerabilities have been successfully addressed.

By conducting a WASA, organizations can significantly improve the security of their web applications, protect sensitive data, and maintain compliance with various regulations and standards.

How a Web Application Security Assessment (WASA) is performed:

A Web Application Security Assessment (WASA) is a comprehensive process to evaluate the security of a web application. It involves both automated and manual techniques to uncover potential vulnerabilities. Here is a general outline of how a WASA is typically performed:

1. Planning and Defining Scope: In this phase, the target application and the objectives of the assessment are defined. The scope can include specific parts of the application, particular types of vulnerabilities to be focused on, or the level of manual versus automated testing to be performed.
2. Information Gathering: This involves understanding the application’s functionality, architecture, and technology stack. This information helps identify potential areas of weakness and guides the testing process.
3. Automated Scanning: Automated tools like Dynamic Application Security Testing (DAST) or Static Application Security Testing (SAST) tools are often used to quickly scan the application for known vulnerabilities. This can include SQL injection, cross-site scripting (XSS), and other common vulnerabilities.
4. Manual Testing: Automated tools can’t catch everything, so manual testing is often employed to uncover vulnerabilities that automated tools might miss. This can include business logic errors, authorization and authentication issues, session management vulnerabilities, and more complex, multi-step vulnerabilities.
5. Vulnerability Verification: If potential vulnerabilities are found, they need to be verified. This often involves trying to exploit the vulnerability in a controlled manner to confirm that it’s real and to understand its potential impact.
6. Reporting: After the assessment is complete, a detailed report is prepared. This usually includes a list of identified vulnerabilities, their severity, the potential impact if they were exploited, and recommendations for fixing them
7. Remediation and Re-testing: Based on the report, the vulnerabilities are then remediated, usually by the application’s development team. Once the issues have been addressed, a re-test is often performed to confirm that the vulnerabilities have been successfully resolved.

A WASA should be performed regularly, especially when changes are made to the application, to maintain a high level of security. It’s also important to remember that no assessment can uncover 100% of vulnerabilities, so a WASA should be just one part of a comprehensive application security program.

How should an organization select a company to perform their WASA testing:

When choosing a company to provide a Web Application Security Assessment (WASA), it’s essential to consider several factors to ensure you select the most appropriate provider. Here are some key factors to consider:

1. Expertise and Experience: The provider should have a strong track record and experience in conducting web application security assessments. Check if they have worked with organizations similar to yours in size and industry.
2. Methodology: Review the company’s approach and methodology for performing the WASA. It should be comprehensive, using both automated and manual testing methods, and align with established industry practices like the OWASP Testing Guide.
3. Skills and Certifications: The team performing the assessment should have relevant qualifications and certifications, such as Certified Ethical Hacker (CEH), GIAC Certified Web Application Penetration Tester (GWAPT), GIAC Secure Software Programmer (GSSP), Certified Information Systems Security Professional (CISSP), or Offensive Security Certified Professional (OSCP).