The web application security testing service provides independent threat assessment for your web application. We simulate real-life attacks during the service to detect security vulnerabilities in the application. Our testing methodology complies with internationally recognised best practices and security standards.

This service by KPMG is primarily designed for businesses and organisations that:

  • develop and/or operate web applications that process (sensitive) customer and/or business critical data
  • use web applications to manage internal systems in production or industry
  • use web applications to provide banking or e-commerce services to customers
  • manage critical infrastructures or provide medical services
The frequency of security testing is flexible and tests can be carried out either at a specific time interval or scheduled for when a new version of an application is about to be launched or when a new dangerous security vulnerability has been detected. The duration of security testing engagements depends largely on the size and complexity of the application being tested, but is typically about 2.5 weeks.

Phases of the service:

1. Preliminary meeting with the client

Before starting an engagement, it is very important that the parties discuss the contents of the engagement and agree on its terms and conditions in order to achieve a mutually satisfactory result at the end of the engagement. At this stage, the parties agree on the scope and the terms of the engagement, the time of execution, the fee, the necessary resources and the testing methodology. This stage ensures that the concerns of each client are addressed individually and they get the solution that suits them best.

2. Intelligence phase

Our team uses the information sent by the client as well as publicly available information to create a clear understanding of the business logic and functional and non-functional requirements of the application. For this purpose, we use the long-term experience of security testers and automatic tools for collecting information.

3. Detecting security vulnerabilities

We use a variety of professional tools and attack techniques to detect security vulnerabilities in the application and carry out our work according to OWASP security standards.

4. Threat assessment

Our experienced and certified team analyses each security vulnerability thoroughly and assesses its level of risk based on the probability of attack and its impact on the client’s assets.

5. Carrying out sample attacks

We test security vulnerabilities using attacks and techniques that are as similar as possible to actual attacks, but we do it in a controlled manner and thereby prevent causing damage to the client’s assets. At this stage, any false positives are removed and the confidentiality, integrity and availability of the client’s data are tested.

6. Preparing a report and presenting the results

The results of the engagement are recorded in the web application security testing report. The report highlights the most important gaps in the security of the application and lists the activities that should be taken to improve it. We provide recommendations for remedying each security vulnerability, and an overall assessment of the complexity of these activities and the resources required. The engagement is completed with a presentation of the report to the client, where we present the findings and answer any further questions that may arise.

The web application security testing report includes:

  • an executive summary that provides a high-level and non-technical overview of the results of the project and serves as an input for business decisions
  • a description of the scope of testing, the methodologies used and all activities carried out
  • a comprehensive technical description of the security vulnerabilities identified, ranked according to their level of risk
  • recommendations on remedying security vulnerabilities or reducing their impact
  • sample attacks that show how dangerous a potential attack may be
In addition, our report contains a separate qualitative security risk assessment, which is an expert opinion on the overall security level of the web application. This assessment evaluates each application according to the overall level of security.

Provide a safe and sustainable business environment for your company. We help build a resilient and reliable digital landscape, even in the face of changing threats.

KPMG Baltics OÜ

+372 626 8700
Ahtri 4, 10151 Tallinn, Estonia
KPMG Baltics KPMG Global Privaatsuspoliitika
Email again:

HR assessment 

HR assessment focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.

Email again:

Threat assessment

Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.

Email again:

Maturity assessment

Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.

Email again: