A BWAPT starts where automated static, dynamic and interactive scanning tools end, as it is able to uncover vulnerabilities that can be exploited by sophisticated attacks which are not detectable by scanning tools. For that, a BWAPT builds upon the results of automated scanning and leverages from the results. eShard analyzes the resistance of the protections implemented against real-life attacks, and provides a rating of their effectiveness.
Details on how we perform BWAPT is available here:
The BWAPT is performed by team members who analyze the implementation and test attack paths. Since this is a time-consuming activity, eShard recommends performing BWAPTs as a complement to automated testing. Depending on the risk profile, a security policy may require performing an BWAPT e.g. once a year at the latest, or after any significant change (e.g. use of new tools, adding new functionality or major redesign). eShard delivers BWAPTs projects using the recognized PMI PMBOK methodology.
During a BWAPT, eShard simulates real-life adversaries/attackers applying the latest attack techniques. This testing approach provides valuable results because it takes a holistic view and considers the “big picture”. eShard puts an emphasis on relevant attack paths observable in real-life.