Web application penetration testing is not just for tech companies. Web apps have become a critical component for organizations of all kinds to streamline access, management, and interaction with data.
Because most web applications are presented externally, they can open an organization to a leak of sensitive data or security breach through the exploitation of vulnerabilities within the app.
The first defense against a security breach from your web applications is regular penetration testing. And while these tests are routine, they can be difficult for organizations to price.
This article will explore the average cost of web application penetration testing and the factors that most affect pricing from one organization to the next. It is designed to help your company select web app pen testers more effectively and avoid any concerns that you might be paying too much.
NOTE: If you’re considering a web app pentest, our free tool below matches you with top-rated pentest firms that fit your budget.)
Scope for Web App Pen Testing
A typical application pen test will be conducted as a white box pen test; that is the application architecture, credentials, and other technical components will be provided to the team. It is possible to have a black box penetration test conducted, but this may come with some additional cost, as this typically will involve more effort and time for the testing team to conduct. When it comes to white box penetration testing, an organization can expect to go through multiple steps as part of the testing engagement.
Project Scoping: Initially, as part of the kickoff of penetration testing services and early-stage kickoff, the consultancy will conduct scoping. Most consultancies will ask several high-level questions that involve understanding the size, complexity, and use cases of the application in scope. This may involve a walk-through of the application to assist with understanding and gauging what work needs to be completed. During this phase, it is recommended that any areas of concern or specific types of exploits be covered by the organization to provide additional focus for the ethical hacker.
Provide Credentials: Following the scoping and kickoff, an organization will need to provide credentials to the testers to allow access to the application. This may be a set of credentials that encompasses the full set of roles, or a subset of credentials that entail lower-level roles and admin roles for an application with a large number of roles. The goal for the tester would be to pen test from an elevated user and a non-elevated role to test access control or the ability to elevate user rights/roles within the application.
Automated Testing: Once credentials have been provided, testing will begin. An initial automated assessment will take place to help crawl and determine all the pages of the applications. Often, during this phase, the tester will conduct a manual review of the application to gain a better understanding of the use cases, business logic, and application performance.
Once a crawl or page enumeration has been completed, additional automated testing will take place. At this point, large amounts of data, both non-malicious and malicious, will be submitted to the application.
It is not uncommon to see a large load against the application at this point. Nearly all consultancies will utilize a dynamic application security testing tool as part of their process. This allows for easy and quick identification of low-hanging or easily exploited vulnerabilities. This provides a good pen tester with a quick understanding of potential underlying issues that would be an indication of larger, more complicated vulnerabilities within the application.
Manual Testing: Once the automated testing has been completed, manual testing will take place. This may take a few days to several weeks, depending on the size and complexity of the application. While an automated tool may be able to identify and confirm some vulnerabilities, many require a manual approach to identify and exploit. At this point, the ethical hacker will conduct a myriad of tests against the business logic, access controls, authentication, input validation, and many other common security controls.
Most of the engagement will not require much interaction from the organization. Outside of the kickoff and the reporting or closeout call, an organization can expect much of the work to be completed without noticing.
Closeout and Reporting: For closeout and reporting, the tester will provide formal documentation on what was done, when it was done, what was found, and how it was found. At the end of the engagement, after the report has been provided, a final call to discuss what was found, how it was found, and how to reproduce the findings should be conducted. At this time, it is best to have technical resources on the call to ask questions, as needed, to assist with remediation.
Average Costs for Web App Pen Testing
Applications vary in size and complexity, which creates a wide range of average penetration testing costs. It is not uncommon for the most expensive applications to be those that appear to be low complexity to the organization. This can be caused because the organization is blind to the fact that there are many user roles and many simple form fields through the application, all of which impact the price.
Web app penetration testing costs can vary from $15,000 to over $100,000 for a single pen test.
When it comes to pricing, it is always recommended to engage multiple pentest vendors for price quotes for your organization’s application. Further, the factors discussed are for white-box penetration testing, as black-box penetration tests will often take a time-boxed approach that may have fewer factors included, but will have a higher web application penetration testing cost overall.
While this list covers many of the most common factors, it is not meant to be all-encompassing, because applications are custom. It is not possible to account for all the various use cases in a single cost model.
Cost Factor #1: Roles or Permissions
One of the first questions that will be asked by a consultancy conducting a penetration test on an application will be how many user roles are possible in the application. This will provide the tester with an idea of how much time is needed to validate access controls within the application.
Keep in mind, that anytime a user role is created, it requires appropriate security controls on the backend to only allow that role to perform the actions required. This creates additional work for the tester to validate access to data, actions, and components of the application as this is rarely accomplished through automated security pen testing. As more roles are added the penetration testing costs will increase.
This will be further complicated if the application is built as a multi-tenant application. In this case, it is not uncommon to have the number of user roles tested double to allow for testing access control across tenants. In this case, the tester will test for horizontal access control vulnerabilities that might allow an attacker to see other tenant data, delete data, or access actions (like creating new users) in another tenant.
This is not an uncommon issue with multi-tenant applications and should be considered a high critical requirement as part of the penetration test.
Cost Factor #2: Dynamic Pages
Dynamic pages are considered pages that accept user input. Every time an application accepts user input, it is an opportunity for injection, data leakage, or manipulation of data.
These issues have been mainstays on the OWASP Top 10 since its initial inception and are extremely critical to the web app penetration test. Just like with the number of user roles, this factor provides an indication of the time it will take to conduct the security testing as part of the penetration test.
As the number of pages accepting user input increases, the time needed during manual testing also grows, which will increase the penetration testing pricing.
Cost Factor #3: API Endpoints
This factor is not to be confused with a stand-alone API penetration test. When it comes to the API endpoints in the web application penetration test, the endpoints will be in scope for pen testing as a critical component that will impact the overall security of the application.
It is recommended that a more in-depth API penetration test be conducted if the application is API heavy as the application penetration test will not typically be a full deep pen test of the endpoints.
The number of API endpoints will have a large impact on the penetration testing costs. Simply, the larger the number of API endpoints, the more time and the higher the pricing will be for testing. API endpoint penetration testing tends to be a manual process, so this can have a large impact on the total penetration testing cost.
Cost Factor #4: Mobile Variation
It is not uncommon for a web application to have a mobile app counterpart that utilizes the same API services, roles, and database.
When this is the case, it is recommended to have the mobile application tested at the same time to help keep costs lower for the mobile application. Since the two applications share services, this will allow for the service to be tested in both the mobile and web application context. In many cases, web testing is easier and more streamlined than testing required from the mobile device, so this will provide additional penetration testing cost savings vs. the cost of testing as a stand-alone mobile application.
How Much do Costs Vary from One Vendor to The Next?
When it comes to penetration testing, there are low-cost budget consultancies, and there are higher-cost boutique or specialty consultancies. While it may be a cliché, it holds in this space that you get what you pay for.
For a lower penetration testing cost or budget vendor, an organization can expect to be working with green to novice penetration testers that may or may not have an application security background. Odds are very high that the test will rely heavily on automated testing tools, which can provide decent quality but are not great. What could be missed are issues in business logic, access control, some complicated injection, authentication bypass, and many other manual testing issues.
When picking a vendor for application penetration testing, it is recommended to review previous work, discuss tester qualifications, and understand the approach (time spent in automated vs. manual).
One of the ways to review the quality of the vendor is to talk to references, review rewards, and ask about example findings. A good testing vendor should be able to have their consultancy provide in-depth, quality examples of application exploits that were identified, how they were found, and what the impact was on those findings.
Other items that can impact penetration testing cost from one vendor to the next would be where the resources are located. There are extremely talented testers from all over the world; location does not have an impact on skills or capabilities. What this will do is lower the hourly rate or increase the hourly rate, depending on where the tester is located.
This can even hold for small boutique shops in the United States. A boutique shop from New York may be 2x of a boutique shop from Kansas City, due to the cost of the consultants in that area. This is another way to help manage costs if a resource is not needed on-site to do testing, which is rarely the case with web applications.
How Much Do Web App Pentest Costs Vary from One Industry to the Next?
In almost all cases, the hourly rate will be the same regardless of the industry for the organization. The factors discussed above will be the primary driver for penetration testing pricing. Keeping in mind that penetration testing is a time-boxed approach, the depth of testing that may be required could drive costs up. For instance, if an organization is working in a highly regulated industry or a high-risk industry (finance, government, etc.), the organization may choose to increase the length of the penetration test to test deeper. In almost all situations, this will be a choice of the organization vs. the consultancy charging extra or increasing the time.
Another factor related to the industry that can increase the cost of penetration testing, but not the hourly rate, is if the web application supports IoT devices (either consumer or industrial). The reason the penetration testing cost may go up is due to other products that may integrate or work with the web application. This increases the scope and complexity of the overall testing, which will result in a longer test and higher penetration testing pricing. While it may be tempting to limit the scope, it is important to consider all of the components that interact with the application and test the full ecosystem to ensure a secure solution.
How to Reduce Web App Pen Testing Costs
Managing the overall penetration testing cost, while not sacrificing quality, is one of the most difficult things to do. It is not impossible, but it may require some forward-thinking to accomplish.
An organization may be tempted to limit the scope to the most critical components of the web application, which is a valid approach. If this is the method taken, it is important to understand that additional further testing should be planned for items excluded from the original test scope. To accomplish this, it is not uncommon to see an organization choose to do recurring yearly or biannual testing against the application. With this cadence, it is possible to focus on new features, while rotating through key components or focus areas of the application allowing for coverage and depth.
Another way to lower the cost of penetration testing, if the vendor provides this as an option, is to utilize source code analysis as part of the penetration test.
Providing the source code to be reviewed through automated and limited manual testing can provide a shortcut to validating exploitable vulnerabilities. Rather than have the tester poke around in the dark for hours on end, this sheds light on where the problem issues may be in the application speeding up identification. Taking this method could allow for a shortened, lower cost app pen test without sacrificing too much in the way of depth and quality.
Finally, companies with web applications might see a cost reduction by utilizing a Penetration Testing as a Service option, that provides a shallower test, but more regularly, and with better integration to developers and internal security staff.
Costs of Web App Pen Testing Vs Benefits
Social engineering might the most prevalent type of security breach, but web application breaches are a close second.
Whether it be a misconfiguration where a database is exposed to the public or an injection attack, it is increasingly common to see a breach originating from application exploitation. Take the time to look at the number of applications your organization is utilizing, developing, and publishing. Odds are, there are more than you think you have, which increases exposure and risk.
Understanding your risk and exposure is the first step in evaluating if penetration testing services will have the return on investment that would justify them.
When reviewing data to make that decision, be sure to include the hit to reputation, the operational cost for investigation, mitigation, and remediation, and the fines that will surely come. Combined, these add up quickly and could easily exceed six figures, if not seven figures for an organization. While a yearly web application penetration test may not be cheap, losing revenue, reputation, and being fined can easily exceed that yearly cost of penetration testing and most likely cover your organization for many years to come.