Martin Hořický
Partner • Digital Services
Web application penetration testing is an essential part of security validation that simulates real-world attacks to identify vulnerabilities in the application layer. The objective is not just to check functionality, but to assess whether the application allows unauthorized access, data manipulation, or compromises the confidentiality and availability of information.
For regulated entities, particularly in the financial sector, this type of testing is an essential component in meeting the requirements of European regulations such as DORA and NIS2, which emphasize regular identification and management of cyber risks throughout the entire application lifecycle.
Why test web applications?
Static security measures alone are not enough, application resilience must also be validated through controlled attacks in realistic conditions.
| Benefit | Description |
| Simulation of Real-World Attacks | Verifying resilience against SQL injection, XSS, path traversal, od CSRF. |
| Application Security Validation | Testing access control, input validation, session management, and encryption. |
| Configuration Flaw Detection | Analyzing HTTP headers, CORS policies, or improper API protection. |
| Evaluation of business logic | Identifying logic abuse (unauthorized discounts or fund transfers). |
| Human Factor Identification | For example, weak admin passwords, unlocked test accounts, and similar oversights. |
What are the requirements for testing teams?
DORA emphasizes that application penetration testing must be conducted by qualified and independent experts with proven experience in application security, specifically:
Advanced knowledge of of web technologies and application security,
Experience with application testing tools (e.g., Burp Suite, OWASP ZAP, Postman, SQLmap)
Ability to simulate real-world attacks (e.g., XSS, SQLi, IDOR, CSRF, session hijacking)
Experience with forensic outputs and incident reporting in line with regulatory requirements,
Independence of the testing team from the development
team, IT operations department, and infrastructure suppliers
What requirements does DORA set for penetration testing of web applications?
According to the DORA framework, testing of web applications falls under so-called basic testing, mandatory routine security assessments of systems supporting critical or important business functions.
The key requirements include:
01
Regular testing at least once per year, or prior to each deployment of a major application release.
02
Documentation of identified findings and proposed remediation measures, including their subsequent verification (retest) and approval by the security management.
03
Inclusion of third parties involved in the development, management, or hosting of the application (e.g., outsourced development, cloud providers).
How does testing work in practice?
Defining the Test Scope
Identification of the target web application, functionality types, access interfaces (e.g., frontend, REST API), and test types (authenticated/unauthenticated, black/grey/white-box approach).
Preparing the Technical Scenario
Selection of appropriate tools and techniques based on the technology stack and application type.
Executing Simulated Attacks
Conducting tests from an attacker’s perspective (attempts at SQL injection, Cross-Site Scripting (XSS), unauthorized access, authentication bypass, or abuse of business logic).
Recording and Analyzing Results
Evaluation of identified vulnerabilities based on impact and likelihood of exploitation, prioritization using CVSS scoring.
Reporting and Recommendations
Delivery of a detailed technical report describing the attack vectors, impacts, and remediation suggestions, accompanied by a management summary.
Follow-up
Consultation on findings, recommendations for code or architecture changes, and possible retesting after implementation of corrective measures.
Why work with BDO?
BDO provides web application penetration testing as part of a comprehensive security strategy. We help organizations identify and remediate technical vulnerabilities before they can be exploited by real-world attackers. Our approach combines manual testing, scripted automation, and deep knowledge of real attack techniques.
01 Technical expertise and experience
We understand the requirements of DORA and NIS2 and tailor our tests to ensure that the outputs are suitable for both supervisory reviews and audits. We assist in defining the testing strategy and ensure its alignment with other types of testing, such as TLPT and penetration tests.
02 Independence and credibility
As an independent consulting firm, we do not own any technologies and offer truly objective assessments. Cooperation with BDO is a clear signal of quality and trust for both regulators and clients.
03 Certified team with expert experience
Our specialists hold certifications such as OSCP, CRTP, eCPPT, BSCP, CEH, CRT, CPSA, CISSP,
