Marketplace applications typically run within or alongside a core platform and can interact directly with users’ data or APIs once installed. Our marketplace application penetration testing methodology is a combination of DAST (black-box penetration testing) and SAST (manual source code review) which helps ensure that the application itself is secure and compliant before it is made available on the marketplace.
The first step in the review of a marketplace application is to validate the application integration and features to correctly scope the security reviews.
Pre-Requisites
- Application Source Code
- Application Installation on Platform (with required licenses)
- User Access
The application is then validated for core features/functionalities and data being shared between the application and platform. Moreover, if external applications are integrated with to-and-fro data exchange, the external application/API is also considered in the scope of the review. The marketplace application review mainly focuses on how the application handles user data, whether it uses secure coding practices, and if it follows the marketplace’s security standards.
Once scoped correctly, the detailed security review is performed based on the respective methodologies for Source Code Review and Web Application and all findings from both SAST and DAST reviews are mapped.