The Web components that belong to the Target of Evaluation will be subjected to a Web Application Penetration Test, performed in an authenticated or non-authenticated mode, that will include, as far as possible, Information Gathering, Configuration Test and Deploy Management, Identity Management Test, Authentication Test and Authorization Test, Client-Side and Server-Side tests, Session Management tests, Data Validation and Error Handling checks, tests on the Cryptography used, and Business Logic tests.
The web site, e-commerce and server infrastructure components exposed on the Internet and defined as the Target of Evaluation will be subject to Security Testing activities, carried out in an unauthenticated and Black Box manner, i.e., without any technical information on the targets. In the case of actual access to the systems, an accessibility test of adjacent networks and systems can be performed by carrying out Host Discovery, Fingerprinting, Service Enumeration activities and, in any case, all non-invasive activities that might be aimed at any Technological Asset, system, service or application that can be accessed at the network interconnection level, to implement Information Gathering and identify points to be analyzed, attack or risk scenarios or proposals for detailed studies.