Many people don't realise that certain types of attack on a badly coded web application can result in the total compromise of the web application, the host it is installed on and all data in associated databases. Some attacks only target clients connecting to your site and some lead to defacement or a breach of data causing embarrassment for the company and potential fines from banks or acquirers if you are taking payments from customers.

Many SMEs are not aware that they will be held directly responsible should their site get breached and it has been proven that customer credit card data was compromised. That can lead to devasting fines and possible collapse of the company.

If you have a web site, a web application or an e-commerce site on the Internet which has a login for users to access different functionality, or you take payment from the site, then it is advisable that the site is fully tested from a credentialed perspective. We would test all the functionality of the site from a minimum of 3 different accounts - 1 with higher privileges (such as an admin account), and 2 with the same privileges (to replicate 2 different customer accounts). We would then log into the site and test using these accounts to ensure horizontal or vertical privilege escalation is not possible and perform a full review of site functionality looking for vulnerabilities. At a minimum we test for the OWASP Top 10 Vulnerabilities.