According to Mitre report, more than a quarter of vulnerabilities detected in 2006 are problems with web application security. As opposite to operation systems, DBMS and application software used in a corporate network, Web applications are as a rule created inside companies and are not as thoroughly tested as widespread software.

On the other hand, web application problems are much easy to detect and use. So, the "break-in through port 80" is a popular method among attackers. "Internet Security Threat Report" by Symantec shows that up to 80% of vulnerabilities that could be used by attackers are web server vulnerabilities.

Using defects made in system development and exploitation, attackers might copy and modify data in corporate databases, conduct frauds ("fishing", "pharming"), gain access to internal company's network and so on.

Significant business loses associated with insufficient web service protection are reflected in a number of industry standards. Thus, Payment Card Industry Data Security Standard (PCI DSS) document includes requirements for source code analysis by third party which specializes in application system security.

Positive Technologies experience allows to conduct web application analysis of any complexity. Web application security assessment could be done by "black box" methods and also by source code analysis. The second method is more efficient but more laborious.

Conventional analysis and application security assessment methods developed with Positive Technologies experts' active participation such as OWASP TOP 10, Web Application Security Consortium Thread Classification and Common Vulnerability Scoring System, are used. All web application components are analyzed: design, network communications, OS settings, external data sources, information repositories, authentication and authorization mechanisms, server and client component.