Protect against Log4J without patching
Learn More
Protect against Log4J without patching
Learn More

UncategorizedZero Day Attack | Application Security | K2 Cyber Security


July 9, 2020 By Timothy Chiu, VP of Marketing
Understanding Web Application Penetration Testing

Here at K2 Cyber Security, we’re obviously concerned with web application security, especially during runtime and also in making sure applications that go to production have as few vulnerabilities as possible.  The latter requires good coding practices and a well thought out penetration test.  If you’ve been wondering how you can learn more about web application penetration testing, there’s a great new article in Dark Reading, titled “The Hitchhiker’s Guide to Web App Pen Testing,” covering a lot of interesting resources to help you get started and to understand web application penetration testing.  The author started researching web application penetration testing six months ago, and is sharing the results of her journey.

As an added benefit, the resources she includes are mostly from free and open source sites.  The author starts off smartly by telling the reader that s/he should first understand web languages, including HTML, Javascript, XML and Ajax, as well as understand how programming languages are structured, before even starting on a web application penetration test plan.

In addition to getting a good handle on programming languages, the author also recommends understanding and knowing networking terminology.  Later in the article she refers to what she calls the bible of web application penetration testing. a book titled Web Application Hacker’s Handbook.”  Another great resource for web application penetration testers.

When you’re ready to start your web application penetration tests and you’ve selected the test tools (one of the ones the author recommends is Burp Suite), you may find that adding K2 Cyber Security Platform is a great addition for adding visibility into the threats discovered by Burp Suite, and can usually also find additional vulnerabilities during Burp Suite testing that Burp Suite may have missed.  K2 also works with the other leading test tools besides Burp Suite to provide additional detail to discovered vulnerabilities including helping pinpoint the exact location of the discovered vulnerability in the code.  When a vulnerability is discovered (for example, SQL Injection, XSS or Remote Code Injection), K2 can disclose the exact file name along with the line of code that contains the vulnerability, details that testing tools typically are unable to provide.

K2 Cyber Security Platform offers two use cases, the first as described here is additional visibility during pre-production penetration testing, while the other is runtime protection for applications in production.  In the second use case,  K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while at the same time generates the least false positives and alerts.  Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge.  Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended.  There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has minimal false alerts.

Get more out of your web application testing and change how you protect your applications, and check out K2’s application workload security solution.

Find out more about K2 today by requesting a demo, or get your free trial.



Share this

Leave a Reply

Your email address will not be published. Required fields are marked *


K2 Cyber Security delivers the Next Generation Application Security Platform to secure web applications and container workloads against sophisticated attacks in OWASP Top 10 and provides exploitable vulnerability detection during pre-production. K2’s Platform is deployed on production servers for runtime protection of applications and on pen-testing/pre-production/QA servers for interactive application security testing to identify the location of the vulnerable code. K2’s solution generates almost no false positives, eliminates breaches due to zero-day attacks, detects attacks missed by traditional security tools like Web Application Firewalls and host based EDR, finds missed exploitable vulnerabilities and dramatically reduces security cost. K2 Cyber Security is headquartered in the USA and provides cyber security solutions globally.


K2 Cyber Security, Inc.

2580 N. First Street, #130

San Jose, CA 95131