BDDK sızma testi nedir?

BDDK sızma testi, Bankacılık Düzenleme ve Denetleme Kurumu'nun bankalara ve finansal kuruluşlara yönelik zorunlu kıldığı periyodik güvenlik denetimidir. Bu testler, bankacılık sistemlerinin siber saldırılara karşı direncini ölçer ve regülasyon uyumunu belgeler.

EPDK sızma testi ne sıklıkla yapılır?

EPDK düzenlemelerine göre enerji sektöründeki kritik altyapı işletmecileri yılda en az bir kez sızma testi yaptırmakla yükümlüdür. OT/SCADA sistemlerini kapsayan testler özel metodoloji gerektirir.

SPK sızma testi kim için zorunludur?

SPK düzenlemeleri kapsamında aracı kurumlar, portföy yönetim şirketleri ve diğer sermaye piyasası kuruluşları düzenli sızma testi yaptırmakla yükümlüdür.

TSE 13638 sertifikalı firma olmanın avantajı nedir?

TSE 13638 standardı, sızma testi hizmeti sunan firmaların akredite edilmesi için Türkiye'de uygulanan ulusal standarttır. TSE 13638 sertifikalı firmalarla çalışmak, yasal yükümlülüklerin karşılanmasını ve denetim süreçlerinde belgesel güvence elde edilmesini sağlar.

Sızma testi fiyatı nasıl belirlenir?

Sızma testi fiyatı; testin kapsamına, hedef sistem sayısına, test süresine, regülasyon gereksinimlerine (BDDK, EPDK, SPK, TSE, PCI-DSS) ve raporlama derinliğine göre değişir. Netlore Security ücretsiz ön görüşme ile kurumunuza özel fiyatlandırma sunar.

Services / Offensive Security / Web Application Penetration Testing

Service · Web Application Security

We pentest your web applications end to end.

From authentication and session management to injection, business-logic and authorization flaws — we test every layer of your application from a real attacker's perspective, following the OWASP Top 10 methodology.

OWASP Top 10REST / GraphQL APISPASSO / OAuthWAF Bypass

Web App ScanDAST

Findings

Critical

High

OWASP categories

Tested Surfaces

Authentication / SessionReview

Injection (SQLi / XSS)Vulnerable

Access Control / IDORVulnerable

Business LogicReview

Crypto / TLSPass

01 — Overview

What is Web Application Penetration Testing?

Web application penetration testing is a comprehensive security assessment conducted to identify security vulnerabilities in your web-based applications. This test evaluates the security posture of your application using methodologies employed by real attackers.

During the testing process, critical security topics such as authentication, authorization, data validation, session management, injection vulnerabilities, and business logic flaws are examined in detail. Tests conducted in accordance with OWASP Top 10 standards provide concrete recommendations for securing your application.

02 — Test Scope

Test Scope

Authentication and Session Management

Security of authentication mechanisms
Session management and token security
Password policies and encryption
Multi-factor authentication (MFA) controls

Injection Attacks

SQL Injection testing
Cross-Site Scripting (XSS) analysis
Command Injection controls
LDAP and XML Injection testing

Data Security

Sensitive data transmission security
Data storage and encryption control
API security testing
Data leakage analysis

Business Logic and Authorization

Access control mechanisms
Business workflow security controls
Privilege escalation testing
Rate limiting and DoS protection

03 — Methodology

Testing Methodology

Reconnaissance and Information Gathering

Identification of application architecture, technologies and potential attack surfaces

Vulnerability Analysis

Detection of security vulnerabilities through automated and manual testing

Exploitation

Validation of identified vulnerabilities with real-world scenarios

Post-Exploitation

Assessment of potential impacts of successful attacks

Reporting and Recommendations

Detailed findings, risk scores and remediation recommendations

04 — Deliverables

Deliverables

Executive summary report (for C-level)

Detailed technical findings report

CVSS scored vulnerability list

Proof-of-Concept (PoC) codes

Remediation recommendations and guidance

05 — Metrics & Tools

Web Security Statistics

We ensure the security of your web applications with our comprehensive testing

98%

Vulnerability Detection Rate

Detection of critical security vulnerabilities

OWASP 10

OWASP Compliance

Coverage of Top 10 security risks

2-4 weeks

Testing Duration

Average project completion time

85%

Security Improvement

Security increase after retest

Tools and Methodologies We Use

Enterprise Tools

Professional web security tools

Burp Suite Professional
OWASP ZAP
Acunetix

Custom Scripts

Custom developed tools

Custom fuzzing scripts
Automated exploitation tools
API testing frameworks

Manual Testing

Expert security analyst review

Business logic analysis
Authentication bypass techniques
Advanced XSS and injection

06 — Automated vs Manual

Automated vs Manual Testing Comparison

	Automated Scanning	Manual Penetration Testing
Detected Vulnerability Type	Known technical vulnerabilities	Business logic + technical vulnerabilities
False Positive Filtering
OWASP Top 10 Coverage
Complex Attack Chain
Average Cost	Low	Medium-High

07 — Frequently Asked Questions

Frequently Asked Questions

How long does web penetration testing take?

It takes 2-4 weeks for an average web application. This duration may vary depending on the complexity, number of pages and functionality of the application.

Will my systems be affected during testing?

Tests are usually not performed in production environment. They are carried out in staging/test environment. In production tests, non-intrusive methods are used and system stability is maintained.

Which standards are followed for testing?

Testing is conducted in accordance with OWASP Top 10, OWASP ASVS, PTES (Penetration Testing Execution Standard) and NIST standards.

What kind of reports will I receive after testing?

Comprehensive reports including executive summary (for C-level), detailed technical report (for dev team), CVSS scored vulnerability list and remediation recommendations are delivered.

Do you offer retest service?

Yes, we offer retesting service for findings after remediation. This usually takes 1-2 days and is included in or offered at a discount to the initial testing fee.

Are API tests included?

Yes, security testing of all API types including REST API, GraphQL, SOAP for modern web applications is included in our scope.

Service · Web Application Security

Test Your Web Application Security

Detect and resolve security vulnerabilities in your application with comprehensive penetration testing compliant with OWASP Top 10.

Offensive Services

Defensive Services

Training & Consultancy

Security & Compliance

Intelligence & Consulting

Products

Critical Infrastructure

Commercial Sectors