Web Application Penetration Testing Zurich
Web app pentest in Zurich aligned with OWASP, ASVS and CREST
Zurich hosts the largest Swiss web application pentest market: banks, insurers, fintech startups, e-commerce platforms and SaaS providers. Our CREST-certified testers assess web applications against the OWASP Testing Guide, OWASP ASVS and OWASP Top 10 with CVSS-rated findings and detailed remediation.
How much does a web application pentest cost in Zurich?
A web application pentest in Zurich costs between CHF 8,000 and CHF 15,000 for a single application. The range depends on complexity, number of user roles and authentication depth. A lean public web app with standard authentication sits at the lower end. A complex banking platform with multi-tenancy, OAuth 2.0, multiple user roles and back-office functionality runs CHF 12,000 to CHF 15,000. Continuous Web Application Security with quarterly assessments as a retainer model is available from CHF 18,000 per year. Retests after remediation are included in the standard engagement.
Methodology and standards
OWASP Testing Guide v4.2
Structured test coverage across all web application layers: configuration, authentication, session management, input validation, cryptography, business logic, client side.
OWASP ASVS Level 2
Application Security Verification Standard as reference framework for security controls. Level 2 for standard business applications, Level 3 for regulated banking or healthcare applications.
OWASP Top 10 (2021)
A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable Components, A07 Identification & Authentication Failures, A08 Software & Data Integrity, A09 Logging & Monitoring, A10 SSRF.
PTES and NIST SP 800-115
Penetration Testing Execution Standard for engagement structure, NIST SP 800-115 as overarching methodology framework, compatible with FINMA and ISO 27001 audits.
Common Zurich engagement types
Banking and wealth management
Online banking platforms, trading front-ends, wealth management portals, robo-advisors. Tests account for FINMA Circular 2023/1, TIBER-CH requirements and PSD2 interfaces for EU business.
Insurance
Customer self-service portals, claims applications, broker platforms. Tests cover health-data protection and compliance with the Swiss Insurance Supervision Act.
Fintech and paytech
Mobile-first banking, crypto trading, payment gateways. Tests focus on API security, OAuth 2.0 / OIDC implementation, KYC/AML workflows and crypto wallet integrations.
SaaS and enterprise software
B2B SaaS platforms, ERP and HR applications, multi-tenant architectures. Tests cover tenant isolation, RBAC implementation, SSO integration and data export security.
Frequently asked questions about web app pentests
Answers to the questions Zurich-based tech leads most often raise during scoping calls.
How long does a web app pentest take?
A focused web application pentest typically takes 5 to 10 days. Exact duration depends on complexity, number of user roles and authentication methods. Banking platforms at ASVS Level 3 often need 8 to 10 days; lean public apps run 5 to 7 days.
Can you test against production or staging environments?
Both work. Tests against staging are safer for aggressive scenarios (race conditions, resource-intensive fuzzing campaigns). Tests against production deliver more realistic results but require coordination with maintenance windows and rate limiting.
Do you also test single-page applications and APIs?
Yes. We test React, Vue, Angular and Svelte SPA front-ends with particular focus on client-side security, JWT handling and state management. Backend APIs (REST, GraphQL, gRPC) are tested against the OWASP API Security Top 10 with explicit authorization testing per endpoint.
How do you handle MFA during authentication tests?
We typically need two test accounts per role with MFA disabled or with app passwords / test MFA tokens. Alternatively we can work with backup codes. The MFA implementation itself (TOTP, WebAuthn, SMS) is tested separately as part of authentication testing.
Do you deliver findings in CWE/CVSS format?
Yes. Every finding is documented with CVSS 3.1 base score, temporal score and CWE ID. On request we deliver findings in SARIF format for direct integration into DevSecOps pipelines (GitHub Code Scanning, GitLab Security Dashboard, Defect Dojo).
Can you offer continuous pentesting for agile teams?
Yes. Continuous web app security is available as a retainer model: monthly mini-audits for new features, quarterly comprehensive tests, immediate retests after critical releases. Integration with Jira, GitHub Issues and common DevSecOps platforms is standard.
Du weisst nicht, was Angreifer in deinem Netzwerk sehen. Wir schon.
30 Minuten. Ein CREST-zertifizierter Offensive-Experte zeigt dir, wo dein grösstes Risiko liegt. Kostenlos. Ohne Verpflichtung. Nur Fakten.
Kein Verkaufsgespräch — nur Erkenntnisse, die du morgen umsetzen kannst
30-Minuten-Videocall mit einem CREST-zertifizierten Offensive-Experten
Analyse basierend auf deiner tatsächlichen Infrastruktur, kein generisches Template
Kostenlose Analyse buchen
Drei kurze Fragen. Dann zeigen wir dir, wo du verwundbar bist.
Erhalten.
Wir melden uns innerhalb von 24 Stunden.