About Services Track Record Technology Security Assessment Contact 日本語

ASH / Security Assessment Services

Security Assessment Services

Find the weak points in your web apps, servers and networks — before attackers do.
OSS tooling × financial-grade engineering experience, balancing cost and precision.

Download service guide (PDF, Japanese) Executive summary + technical detail (A4, 8 pages, Japanese)

Why Vulnerability Assessment, Now

Increasingly sophisticated attacks, regulatory pressure, and demands from business partners. For any public-facing web service, vulnerability assessment has shifted from "nice to have" to "too risky to skip".

Sophisticated, AI-driven Attacks

Automated scanners and AI-powered attack bots probe newly launched sites within hours. Vulnerabilities are no longer a question of "if" — only "when".

Regulations & Guidelines

Personal data protection law, PCI DSS, industry guidelines and financial regulations increasingly mandate assessments outright, across a growing range of domains.

Supply Chain Requirements

Parent companies and business partners increasingly require vulnerability assessment reports — often as a precondition for deals and contract renewals. ASH also offers optional support for completing partner security questionnaires based on the assessment results.

Assessment Services

Four types of assessment, offered individually or in combination, depending on your target and the depth required.

Web Application Assessment

DAST (dynamic analysis) with OWASP ZAP, comprehensively detecting OWASP Top 10-class vulnerabilities: SQL injection, XSS, broken authentication and session management, and access control flaws. Supports form input, multi-step flows and authenticated areas.

OWASP ZAP DAST OWASP Top 10 Authenticated scanning

Platform / Network Assessment

Using OpenVAS / Nessus to detect known vulnerabilities (CVEs), misconfigurations, unnecessary open ports and missing patches across OS, middleware, servers and network equipment. In-depth assessments, including authenticated scans, of dedicated servers, on-premises systems and VPC resources.

OpenVAS Nessus CVE Patch management
ASH's Strength

White-box Assessment (Source Provided)

We receive your source code and review it from the inside, reaching server-side logic invisible from outside — authorization checks, database operations, file I/O, hardcoded secrets and mail-sending routines. Combines SAST tooling such as Semgrep with manual code review by experienced engineers.

SAST Semgrep Manual code review Authorization flaws

Hybrid Assessment

Combines black-box (ZAP) and white-box (SAST + manual review) approaches, compressing overlapping work while evaluating your system comprehensively from both outside and inside. Best suited to critical systems, financial services and systems handling personal data.

Black-box + white-box Comprehensive Financial & core systems

Assessment Track Record

From corporate websites to mission-critical financial trading systems, we have performed assessments and remediation proposals across multiple production environments.

Corporate Website Assessment

Black-box assessment of public websites with OWASP ZAP / OpenVAS. One-stop coverage from scope design — accounting for forms, authentication and shared-hosting constraints — through to remediation proposals.

Online Trading System Assessment

Vulnerability assessment of financial-grade online trading systems (equities and derivatives). Non-disruptive assessment under high-availability, low-latency constraints, comprehensive staging-environment testing, and final pre-release checks.

White-box Assessment

For custom-built web applications and APIs, we received source code and combined SAST tooling such as Semgrep with manual code review — verifying server-side form handling, authorization control and the treatment of sensitive data from the inside.

Primary Tools

OWASP ZAP

The OWASP Foundation's official web application assessment tool (DAST). Supports Active Scan, Passive Scan and Ajax Spider for comprehensive dynamic analysis, including authenticated areas.

OpenVAS / Greenbone

Open-source platform vulnerability scanner. Built on the CVE database, it detects known OS and middleware vulnerabilities, misconfigurations and open ports.

Nessus

The de facto standard commercial platform vulnerability scanner. Enterprise-grade detection with support for authenticated scanning and compliance auditing (CIS, DISA STIG and more).

Semgrep and other SAST

Static analysis tooling used in white-box assessments. Runs security rulesets for major languages including PHP, TypeScript and Python to detect dangerous implementation patterns.

The White-box Option

While most assessment vendors offer only black-box (external) testing, ASH also performs white-box assessments — receiving your source code and reviewing it from the inside. Because we build production systems ourselves, we can deliver high-confidence findings that go straight to the code.

  • Direct inspection of server-side form and API handling (input validation, CSRF, authorization checks)
  • Detection of hardcoded secrets and dangerous function usage invisible from outside
  • Triage of SAST results (false-positive elimination) combined with manual code review by experienced engineers
  • Developer-ready reports including remediation examples with code excerpts

How an Assessment Proceeds

From the initial interview to report delivery and re-assessment, we work through five steps.

  1. 01

    Interview & Scope Definition

    We clarify your objectives (regulatory compliance, partner requirements, pre-release verification) and the target scope (URLs, IPs, source code). Pinning down scope up front sharpens the estimate and avoids wasted effort.

  2. 02

    Environment Setup & Authorization

    Staging environment preparation, temporary WAF / IDS adjustments, scanning authorization requests to hosting providers (shared hosting, AWS and others), and NDA execution. We work alongside you on all pre-checks needed to avoid production impact.

  3. 03

    Assessment Execution

    We run automated scans with the selected tools (OWASP ZAP / OpenVAS / Nessus / SAST), and experienced engineers triage every finding — adding manual verification and manual code review where warranted. If a critical-level vulnerability is found, we alert you the same day with interim mitigation guidance, without waiting for the final report.

  4. 04

    Report Delivery & Debrief

    We deliver a report with risk ratings (CVSS-based) and concrete remediation guidance, including example fixes. An online debrief with your implementation team is also available for direct discussion.

  5. 05

    Re-assessment (One Round Included)

    After remediation, we verify that the fixes are effective — one post-fix re-assessment is included in the standard fee, so the deliverable is a fixed system, not just a report. We also offer recurring assessments built into your release cycle.

Deliverable: The Assessment Report

Not "detect and done" — one report covering both an executive-ready summary and remediation guidance developers can act on immediately. An anonymized sample report is available on request, so you can evaluate the report quality before ordering.

ChapterContentPrimary readers
1. Executive summaryOverall risk rating, critical findings and prioritized recommendations, condensed into 1–2 pagesExecutives & management
2. Assessment overviewScope, methodology and tools used, schedule, constraintsManagement & staff
3. FindingsPer-vulnerability risk level (CVSS-based), impact and reproduction stepsStaff
4. Remediation proposalsConcrete fixes for each vulnerability; white-box assessments cite the affected code lines with example fixesDevelopers
5. AppendixRaw scan data and references (links to CVE / CWE entries)Developers

Risk Rating Criteria (CVSS-based)

LevelDefinitionResponse guideline
CriticalEasily exploitable from outside, leading directly to data breach, tampering or system outageImmediate action (including interim mitigation)
HighExploitation requires specific conditions but has severe impact if successfulFix within 1–2 weeks
MediumLimited direct impact on its own, but exploitable in combination with other vulnerabilitiesFix in the next release
LowLow likelihood of direct harm, but remediation is recommended for hardeningAddress as planned work
InfoNot a vulnerability, but configuration details and recommended settings worth knowingUse as reference

* Same-day critical alerts: if a critical-level vulnerability is detected during the assessment, we notify you the same day with interim mitigation guidance — without waiting for the final report.

Recommended Operating Model: Recurring Tool-based Scans + Targeted Manual Assessment

Recurring tool-based scans (baseline)

Quarterly-to-monthly automated scans with OWASP ZAP / OpenVAS, continuously monitoring risk from new CVEs and configuration changes. Low-cost and repeatable.

Manual assessment (key moments)

Before major releases, when critical features ship, and as an annual checkup — manual assessment and code review by experienced engineers, catching logic flaws that tools miss.

* We also advise on building scans into your release cycle (automated scanning in CI/CD = DevSecOps).

Indicative Pricing

Pricing varies with target size, assessment depth and reporting requirements. The figures below are market-based approximations (excl. tax); a formal quote follows the initial interview.

Assessment type Indicative price Notes
Web application (small) JPY 200,000–500,000 (approx., excl. tax) WordPress-class sites with few forms
Web application (medium) JPY 400,000–800,000 (approx., excl. tax) ~100 screens, multiple form flows
Platform assessment JPY 50,000–200,000 per IP (approx., excl. tax) OpenVAS / Nessus; suited to dedicated servers
White-box assessment JPY 500,000–1,500,000 (approx., excl. tax) Depends on custom code volume (SAST + manual)
Hybrid (black-box + white-box) JPY 800,000–2,000,000 (approx., excl. tax) For critical and financial systems
Re-assessment (post-fix verification) One round included Verification focused on remediated items (3–5 business days); subsequent rounds at 20–30% of the initial fee
Security questionnaire support JPY 50,000–150,000 (approx., excl. tax) Help completing partner / parent-company security questionnaires (offered alongside an assessment)

* License costs are effectively zero, since we center on OSS tooling (OWASP ZAP / OpenVAS / Semgrep) — most of the cost is engineering time. Where the commercial Nessus scanner is used, license fees are quoted separately.

Advantages for FDE Retainer Clients

Companies with an ASH retainer — where we already support development and operations as your FDE (Forward Deployed Engineer) — can run vulnerability assessments on far better terms than engaging an external vendor from scratch.

1. Near-zero discovery overhead

Your FDE already knows the architecture, the code and the operations. The scoping and environment-survey effort that external assessments require (1–2 person-days) all but disappears, cutting both cost and lead time.

2. Detect → fix → re-assess in one loop

The usual cycle — assessment vendor's report, fix request to the development vendor, re-assessment scheduling — involves three-party coordination. With an FDE, the person who found the issue fixes it and re-scans immediately, shrinking time-to-resolution by a large factor.

3. Prioritization grounded in business context

Knowing which features touch revenue, personal data and core operations, we provide risk ratings and a response order that reflect your actual business — not just mechanical CVSS scores.

4. Sensitive information stays inside

No new NDA, no shipping source code to another company. System internals and vulnerability findings stay within your existing retainer, without widening the circle of disclosure.

ItemNew engagement with an external vendorPerformed by your FDE (ASH retainer)
Pre-assessment interviews & environment survey1–2 person-days (billed separately)Largely unnecessary (system already known)
Contract & NDANew agreements requiredCovered by the existing retainer
Post-detection fixesSeparate request and coordination with the development vendorThe FDE fixes it directly (immediate start)
Re-assessmentSeparate quote and schedulingRe-scanned immediately after the fix
CostFull market rate (full effort)Below market thanks to reduced preparation and coordination; small scopes may fit within retainer hours
Recurring assessmentContracted each timeBuilt into the release cycle and run continuously as DevSecOps

* Where partners or auditors explicitly require an independent third-party assessment, we recommend pairing an external vendor assessment for your in-house-developed components — with the FDE acting as liaison, which still compresses coordination cost.

For Your Team: Pre-assessment Checklist

Preparing the items below improves estimate accuracy, smooths the assessment and keeps cost down. You don't need everything — we'll sort out open questions together in the interview.

A. Target Inventory (drives estimate accuracy)

  • List of target URLs and domains — production vs. staging, including subdomains
  • Screen and form inventory — input forms are a focus of testing; note any multi-step flows
  • Server and IP address list — note cloud, dedicated server or shared hosting
  • API endpoint list — an API spec (OpenAPI etc.) greatly improves assessment efficiency

B. Environment & Permissions (assessment prerequisites)

  • Availability of a staging environment — if none, we schedule scans for low-traffic windows
  • Hosting provider's scanning policy — shared hosting may require advance application; we help with the paperwork
  • WAF / IDS / IPS presence and administrator — scanning-source IPs may need allowlisting
  • Test accounts — one standard plus one admin account also enables privilege-escalation testing

C. For White-box Assessments

  • Source code access — e.g. read access to the Git repository; the NDA is signed beforehand
  • Identify custom-developed components — focusing on your own code keeps cost down
  • Architecture diagrams, DB schema, environment details — a dependency list speeds up analysis

D. Internal Coordination

  • Designate a single point of contact — one person for technical questions and urgent escalation
  • Notify stakeholders in advance — share the assessment window with operations and monitoring teams
  • Confirm recent backups — verify backup status as a precaution
  • Line up remediation capacity (recommended) — we can also assist with fixes

Service Guide PDF (this page's content + an executive summary, Japanese)

An A4, 8-page document ready for internal circulation and approval workflows. Page one alone gives executives enough to assess the proposal.

Download service guide (PDF, Japanese)

Contact

Tell us about your target systems, the assessment type you have in mind and your preferred timing — we'll organize the scope and provide a quote. The inquiry form is in Japanese, but inquiries in English are welcome — we respond in English.

Company
ASH Inc.
Location
Kita-ku, Osaka, Japan
URL
www.ash.osaka