Web application audit

With a Puffin web application audit, you can prevent security problems derived from injections of malicious code such as cryptojacking and formjacking


Webapp & website security audit services

Nowadays, websites are the targets of constant attacks, which may be initiated from any country around the world. It is usually done though brute force attacks by automated software that generate consecutive codes until getting the right code to access to the desired data.

Our approach to Web app security

With the proliferation of the web for communication, companies needs to be aware of the value of auditing web security in order to prevent breaches and downtime. Even if when the cyber criminals has developed sophisticated attacks to disrupt access, commit fraud or steal confidential data, web security is probably the most overlooked issue in cyber security.

By securing your applications against web attacks, traditional firewalls, SSL, Intrusion Detection Systems (IDS) and other security issues cannot prevent these sophisticated threats that may leave your organization exposed to security breaches.

Risks of not securing your web applications

Sales loss or even business shut down

Judgments, legal costs and regulatory penalties

Damages for reputation loss

Problems accepting payment cards

Economic losses by fraud

What our clients say


Why do you need to audit your website?

Nowadays organizations are fully aware that their websites and applications are a public representation of their corporate image. A downtime due to a security breach may result at least in loss of reputation, trust and revenue.

Due to the massive number of attacks every day, website security is becoming prior challenge for any organization. Web applications vulnerabilities exist when security is not taken care, leaving unprotected sensitive information like your whole web data base and also becoming the launch site of cyber attacks such as phishing or transfering illegal content.

Reviewing your web security periodically is a must, and it means ensuring the basics as confidentiality, integrity, availability. Only in this way you can keep on doing businesses, without any worry of data loss or availability issues.

Goals of periodical website audit

Website and application security audit help you understand the vulnerabilities in your website or web applications as they go beyond a collection of automated tests and dive deeper into security controls. With a periodical audit you get regulatory compliance and also peace of mind.

Identify vulnerabilities and potential security breachs

Analize your website security status as seen by potential attackers

Determine the real business risks for all the players of your company

Benefits of web auditing

With a web security audit we can find vulnerabilities in web applications and servers before attackers do, reducing the risk of data loss

Early Stage Detection

Mitigate risks by detecting and remediating security vulnerabilities and configure it to the maximum security level of your company.

Boost security

Increase end user confidence and company reputation by boosting your defences and meeting the highest security standards.

Reveal vulnerabilities

Illuminate breaches that could be exploited by an attacker for gaining access to your environment and system, and reduce risks of compliance penalties

Advantages of Puffin services

Why working with Puffin

At Puffin Security we want to help your company assessing the security of your software configuration and web environment. We can conduct a website security audit following the best web application security testing guidelines, this is a complex process that combines automatic and manual methods.

Effectiveness and efficiency

Commitment to results. We use methodologies that ensure the quality policy (ISO 9001) and the achievement of an optimal compromise, prioritizing to response time and speed of execution.

Tailored approach service

Adapt test and rules of engagement to uncover unique vulnerabilities. offering services with flexibility and adequate prices .

Expert execution

Performed by elite security testing consultants on-site or remote. We accredit experience in complex organizations in security projects, providing knowledge in the triple aspect: organizational, legal and technical

A multilayered defense on depth

A multilayered review defenses of management, risk management and internal audit to ensure that cyber security controls are well designed to protect the information assets and are operating effectively.

Compliance with ethical codes

Compliance with audit standards and ethical codes ISACA Code of Ethics, ISSA ethical code, OSSTMM Rules of Engagement, in addition to the standards referenced in the audit methodology.

Cyber criminals
attack web apps
with 3 strategies

Protecting your company interests is very easy if you take awareness of the challenge of website security. Auditing periodically your websites and web applications can higly mitigate risks.

SQL Injection

Attackers insert SQL into a web application database query, taking complete control over your web application database. This attack vector is easily exploited, but it is easily mitigated with a small amount of due diligence.

Cross Site Scripting (XSS)

This is a type of injection, in which malicious scripts are injected into benign and trusted websites. This occurs when an attacker inserts HTML or client-side script in the user interface of a web application.


Vulnerability It is identified as a flaw in the web application, caused due to the bugs in the application or presence of viruses. We can help your company to detect this king of gaps in order your developer can fix it as soon as possible.

Web app audit methodology

When performing a web audit we work with OWASP methodology. We split the test set into several blocks like Owasp top 10 & SANS top 20 web application vulnerabilities. Besides the web Application, we also review the server settings where is hosted. We perform an analysis of the cryptography used and identify unsafe ciphers. Finally we review third party components as versions of libraries used in the Web application.

To perform these kind of tests we rely on a large range of tools, depending on the characteristics of the web application. One of the the main tools that we use is BurpSuite. All these processes made automatically by these tools, must be analized manually by our consultants to avoit false positives. Once all he information is analized our staff will prepare the final report with reliable and concrete information.

Phases of the Audit Process


Analysis structure web and third parties

Web App review (with + without user)

Review of design and programming errors

Business logic Review.

Customer Interaction Review.

Generation of results.

cyber security web application auditing final report


Documentation Deliverables

Once all of this is complete you will receive a final report with a detailed information about all the tests and results discovered in the web security audit. In this document you will find all the knowledge you need to implement in order to mitigate vulnerabilities and weakness found. You will find all the vulnerabilities found analysed in depth (description, impact, risk level, evidences…) and all the actions we have executed.

$600 Billion

is the ammount that Cyber crime costs the world a year

Interested in auditing?

Discover all our types of cyber security audit for testing your security plan and all the gaps that can address to a data breach

What our clients say


Years auditing companies


Data breaches prevented


Countries we have worked at


Companies we have worked with

Around 98% of the apps that have been tested are vulnerable to cyber attack

At Puffin Security we deep into your organization beyond technology. We consider structures, processes, strategy and people, analysing security within the context of your business

Related services you may be interested


Adversarial testing


Manage the security of your company


Enhance your cyber security

Why working with us
View more services