best practices for pen testing web...
TRANSCRIPT
E-Guide
Best practices for pen testing Web
applications
While pen testing can be a useful tool for gauging a Web application’s
ability to withstand an attack, if performed incorrectly, it is of little
value or even worse, can create a false sense of security. This expert
E-Guide examines what a Web application test is and best practices to
getting the most out of them. Uncover guidelines to ensure your pen
test is a success and key recommendations on how you can avoid
common pitfalls.
Sponsored By:
SearchSecurity.com E-Guide
Best practices for pen testing Web applications
Sponsored By: Page 2 of 6
E-Guide
Best practices for pen testing Web
applications
Table of Contents
Best practices for pen testing Web applications
Resources from Cenzic
SearchSecurity.com E-Guide
Best practices for pen testing Web applications
Sponsored By: Page 3 of 6
Best practices for pen testing Web applications
By Michael Cobb
Pen testing can be a useful tool for gauging a Web application's ability to withstand an
attack. However, if performed incorrectly, it is of little value and even worse, can create a
false sense of security. In this tip, we'll examine what a Web application pen test is, provide
strategies for getting the most out of them and most importantly, provide proper
procedures to avoid this scenario.
Web application pen testing involves testing a running application remotely, without
knowing the inner workings of the application itself, in order to find possible vulnerabilities.
To avoid an inefficient scattergun approach, the best way to perform them is to carry out a
series of methodical and repeatable tests, and to work through all of the different
application vulnerabilities. However, because pen testing is not an exact science, it is best
to troubleshoot any existing concerns within a testing framework. Below are three steps you
can take to ensure your pen test is a success:
1. Gather as much information as possible about the application and the infrastructure
it resides on.
2. Perform an infrastructure-level pen test to check how the infrastructure is deployed
and secured. If the application server can be exploited, it can give you more leverage
in exploiting the Web application.
3. When testing the application, look for any entry points where user input is accepted
and dynamic content is generated. Then, probe these areas for weaknesses in input
validation, session manipulation, authentication and information leakage. If any
internal information is leaked, it should be recorded and used to re-assess your
overall understanding of the application and how it works.
If at any point you uncover a serious vulnerability that could lead to an application or
system compromise, inform the system administrator or relevant contact about the risks.
Once the tests are complete, record the results, report which vulnerabilities were tested and
provide risk assessments for any vulnerabilities found.
SearchSecurity.com E-Guide
Best practices for pen testing Web applications
Sponsored By: Page 4 of 6
To help you plan your pen test, you can use the checklist of Web application vulnerabilities
in the Open Source Security Testing Methodology Manual (OSSTMM) from the Open Web
Application Security Project (OWASP), which you can download at
http://www.owasp.org/documentation/testing.html. The OWASP is currently developing a
framework for testing the security of Web applications, and will provide technical details on
how to use source code inspection and pen testing to look for specific issues.
You can also use tools that automate the process, but it's important to note that because
Web applications are usually custom-made, these tools can be ineffective. Fortunately, the
latest products are more advanced. Early automated scanners pointed out long lists of
vulnerabilities, but did little to assist in fixing them. New products, such as SPI Dynamics'
SPI ToolKit, provide more comprehensive reports and information on how to avoid the latest
threats.
Some companies choose to use consultants to perform pen tests. If you prefer this route,
review their service-level agreement. For example, those who use the OSSTMM must abide
by various rules and guidelines of acceptable practices, such as how testing is carried out,
and how the results are handled. In addition, because pen testing depends on the skill of
the tester, I recommend hiring a Certified Penetration Testing Professional (CPTP).
As a final option, you can also pen test an application after it is deployed. However, while
post-deployment tests provide a final assessment of the code's ability to withstand an
attack, because it occurs late in the software development life cycle, it should not be your
only security testing technique, as a successful test doesn't necessarily mean your
application is secure. To improve the security of your applications, you must improve the
quality of the software development processes. This means testing the security at the
definition, design, development, deployment and maintenance stages, and not relying on
the costly strategy of waiting until the application is completed.
SearchSecurity.com E-Guide
Best practices for pen testing Web applications
Sponsored By: Page 6 of 6
Resources from Cenzic
The ABCs of Web Security: Making SMB Sites Safe for Customers
Good Enough Website Security Easy Steps to Get You Started
Free Website HealthCheck
About Cenzic
Cenzic provides software, managed service, and cloud security products that help
organizations secure their websites against hacker attacks. Cenzic focuses on Web
application security, automating the process of identifying security defects at the Web
application level where more than 75% of attacks occur; helping customers in remediating
those defects, managing risk and attaining compliance with regulations such as PCI.