What is Web Safe™?
The WebSafe™ Web Application Certification Program is designed to thoroughly assess, secure, and certify your web application as being well-secured from all known attacks. While no one can guarantee 100% security, moving up the layers of the WebSafe™ increases your assurance levels, and also provides the same assurance to customers that your website is adequately protected.
Do bear in mind that you can take any of our services without the WebSafe™ as well. For instance, you can choose to simply use our Penetration Testing or Source Code Review services without selecting the Certificate and Seal. You could also have the HackAlert monitoring services to check your site for malware on a 24/7 basis without getting a Penetration Test or Source Code Review done.
How does it work?
The Program offers certifications for your web application at various levels
- Silver – Penetration Testing Only
- Silver Plus – Penetration Testing plus Design Review
- Gold – Penetration Testing plus Design Review plus Source Code Review
- Gold Plus - Penetration Testing plus Onsite Security Assessment plus Design Review plus Source Code Review plus Web Application Firewall plus Malware Monitoring
- Platinum - Penetration Testing plus Onsite Security Assessment plus Design Review plus Source Code Review plus Web Application Firewall plus Malware Monitoring plus Anti-Phishing (for Banks and Financial Institutions Only)
This is the basic level to which your web application can get certified. Here we will do a thorough penetration test (addressing both technical as well as business risks), aligned with internationally recognized frameworks such as the Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM). Read more about our Penetration Testing Methodology. Once the Penetration Test is completed, a comprehensive report will be submitted to you and you will have 6 weeks to fix the vulnerabilities. Once you inform us that the reported vulnerabilities have been fixed, we will do a retest. If in the retest all issues are clean, we will issue you a formal certification, along with a seal which you can display on your website or your site/company literature. The usage of the seal is governed by the following “Seal Usage Terms & Conditions”.
Silver Plus takes the assessment of your application to the next level. Not only will we do a thorough penetration test as in Silver, but we will also carry out an application design review based on a Threat Modeling approach. Two reports will be submitted to you – a Penetration Testing report, and a Threat Modeling approach. Once all the issues in both the reports have been addressed, a re-assessment will be carried out. If all the issues in the re-assessment are shown as being fixed, you will be issued a Silver Plus Certified Application certificate along with a Silver Plus Certified Seal.
Gold incorporates the steps in Silver Plus, and further increases your assurance levels by conducting an automated in-depth source code review using a highly popular and patented product called CodeSecure. This product is developed by our close partners Armorize Technologies, and is widely used for conducting source code reviews of PHP, .NET, J2EE and ASP applications. Three reports will be submitted to you – Penetration Testing, Design Review, and Source Code Review. Once you inform us that all the reported issues have been addressed, we will conduct another round of assessments across all 3 aspects – Penetration Test, Design Review, Source Code Review. Once we are sure that all issues have been addressed satisfactorily, we will issue you a Gold Certified Application certificate along with a Gold Certified Seal.
An application certified at Level Gold Plus is almost guaranteed to never get hacked (remember no 100% guarantees are possible). The Level Gold Plus certification is given to an application that meets the following criteria:
- Quarterly Penetration Tests
- Bi-Annual Onsite Security Assessments
- Bi-Annual Source Code Reviews and Design Reviews
- 24/7 Monitoring by HackAlert
- 24/7 Protection by SmartWebApplicationFirewall (SmartWAF)
The Level Platinum certification is strictly only for Banks and Financial Institutions, since it combines all the components of the Level Gold Plus certificate, along with our industry-leading anti-phishing solution from Cyveillance.