Web and application security audit
Certi360 tests your web applications against OWASP ASVS to detect critical vulnerabilities — injections, weak authentication, data leaks — before production launch.
Plan a web auditWhat is a web security audit?
A web security audit evaluates vulnerabilities in an application or website — authentication, session management, SQL injection, XSS, server configuration — against recognized frameworks like OWASP Top 10 and OWASP ASVS. The result is a prioritized report your developers can act on directly.
This service is essential for Quebec SMBs building SaaS applications, client portals or e-commerce sites subject to Bill 25.
Our OWASP ASVS methodology
The OWASP Application Security Verification Standard (ASVS) defines 280+ security controls in three levels. Certi360 adapts rigour to your context:
- Level 1 — lower-risk applications, protection against opportunistic attacks.
- Level 2 — applications handling sensitive data or subject to Bill 25 (recommended for most SMBs).
- Level 3 — critical applications (health, finance, infrastructure) requiring the strictest verification.
Vulnerability types we detect
- Injections (SQL, LDAP, OS command)
- Reflected and stored cross-site scripting (XSS)
- Broken authentication and session management
- Insufficient access controls (IDOR, privilege escalation)
- Security misconfiguration (TLS, HTTP headers)
- Sensitive data exposure and information leakage
Complementary source code review
For in-house applications, we offer source code review (Java, .NET, PHP, Python) that finds vulnerabilities invisible from the outside. Ideal before fundraising or a major product launch.
See our security testing page for our full technical offering.
Frequently asked questions
- What is a web security audit?
- A web security audit evaluates vulnerabilities in an application or website — authentication, session management, injections, server configuration — against frameworks like OWASP Top 10 or OWASP ASVS. The goal is to find and fix flaws before they are exploited.
- OWASP ASVS or OWASP Top 10: which should I choose?
- OWASP Top 10 lists the ten most critical risks for web applications. OWASP ASVS is a comprehensive standard with 280+ controls in three levels. For an SMB with a critical application, ASVS Level 2 is often the right balance of rigour and cost.
- Is a web audit useful for Bill 25 compliance?
- Yes. Bill 25 requires proportionate security measures to protect personal information. A web audit documents your technical controls and demonstrates reasonable diligence in the event of an incident or client request.
- What does the Certi360 web audit report include?
- Our report includes each vulnerability found, its risk level (CVSS), technical evidence, prioritized remediation recommendations and a debrief with your developers or IT team.
- Should we audit before or after production launch?
- Ideally before go-live and after every major release. An upfront audit avoids costly production fixes and protects users from day one. Certi360 also offers recurring audits for continuously evolving applications.