Application Level - Vulnerability Assessment & Penetration Testing

Test Objective 

Conduct a test of the application code for security vulnerabilities which meets OWASP standards and PCI requirements

Audit Serve’s Application Level Vulnerability Assessment & Penetration Testing Methodology 
Step 1: Vulnerability Identification, Analysis and Risk Validation
  • Use Qualys WAS tool licensed by Audit Serve to identify known security vulnerabilities and poor system configuration
  • Perform analysis of vulnerabilities and determine whether they are false positives based on validation of system configuration
  • Conduct interviews with client to discuss use of technology where vulnerabilities discovered to determine residual risk
Step 2: Active Exploitation
  • Use exploitation components of the Qualys WAS tool licensed by Audit Serve
  • Run password cracking tools to disclose accounts
Step 3: Remedial Advisory
  • Provide guidance on remedial action to reduce risk of vulnerabilities identified to acceptable levels
Audit Serve’s Internet Vulnerability Assessment & Penetration Report
Our penetration test report contains two parts:
  • An executive summary intended for senior management which highlights the findings and action items from the penetration test
  • Detailed findings and action items that describe the vulnerabilities discovered, its impact and how to fix each one
Common Usage of the Service
  • Many organizations are required to conduct independent application level penetration tests by various government regulatory agencies and vendor management requirements.
  • One of the key requirements of PCI is to perform application level penetration testing.
Contact Mitch Levine at or call (203) 972-3567 to (203) 972-3367 to start the penetration test of your organization.

Cost of Service


2 – 3 Applications
4 - 7
8 - 12 Applications
One Time Scan & report w/o rerun option
Call for Price
One Time Scan & report with rerun
Call for Price
Quarterly Scan & report
Call for Price
Quarterly Scan & report with rerun
Call for Price


The rerun option allows for a subsequent scan to be run after the organization completes the remediation of issues identified during the initial scan.  If the rerun option is selected, the initial deliverable will be a report of issues.  After the rerun is performed, the final report will be issued. 



AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.