This article is for those who have had to deal with the security problems of their resources and web applications, but do not have a clear idea of how this testing is carried out in practice.
There can be many reasons you want to execute a security testing, such as:
- Following a cyber-attack or its attempt;
- In the presence of a corporate network or web application, security testing of which has been carried out for a long time or has not been carried out at all;
- After adding new functionality to an existing product;
- With a significant change in the topology of the corporate network;
- When migrating an application from a test environment to a production environment;
- Subject to the requirements of industry standards (PCI DSS, HIPAA).
However, it is much easier to determine how necessary it is to conduct safety tests. In general terms, the formula looks like this: if you have “something”, it stores or processes important data that is accessible from the Internet, then a security test is necessary!
Important data here refers to any information of value – personal data of users, payment card data, company accounts, etc. Even if the web application does not store or process any important data, reputation losses cannot be written off. For instance, if the site is hacked and instead of the company’s logo on the main page, a competitor’s logo is placed, this will have a negative impact on the business.
So, with all the awareness of the importance of conducting safety tests, what to do next? How do you determine what kind of security tests you need? It’s great to have requirements for a system security audit, formulated by an external auditor, for instance. In this case, it is quite easy to determine the list of testing activities.
But what if there are no security requirements, but there is a need to check it? Often people come to testing companies with the following request: “I have a website/network, I want to test security!”
Then the specialists need to clarify the details of the request, which sometimes takes several days. It is much easier to formulate a detailed request initially, thereby saving valuable time. We’ll talk about how you can detail your security testing needs below.
Usually, the required type of security test can be determined by several criteria:
- The purpose of testing;
- Data about the system that can be provided to auditors;
- The point of entry into the system (relevant only for testing local networks).
Penetration Testing & Vulnerability Assessment
Based on the goals, security testing is divided into two types: Penetration Testing and Vulnerability Assessment.
The purpose of penetration testing is clear from the name itself. Here the task of testers is to try to penetrate the internal infrastructure of a web application, gain control over internal servers, or gain access to important information. At the same time, testers simulate the possible actions of real hackers. The defects found during testing, as well as the testing methods themselves, play no role.
The result of such a test is either in obtaining unauthorized access or in stating the fact that such access could not be obtained in the current state of the system. Penetration testing is less time-consuming than a security assessment, and it can reveal how effective your measures are in protecting against external threats.
Thus, if the main thing is to find out whether the danger of real hacking by attackers is great, then penetration testing is your option.
In turn, the security assessment implies the most complete and extensive system check. Its main purpose is not to gain access, but to identify configuration flaws and vulnerabilities that can potentially lead to unauthorized access or compromise system users. All defects found during the security assessment are ranked according to their risk level and the degree of impact on the security of the entire system. The exploitation of the found vulnerabilities is usually not carried out or is carried out by agreement of the parties.
Security assessments are time-consuming and often carried out only in accordance with the requirements of various industry standards.
Let’s consider a small practical example that clearly demonstrates the difference between penetration testing and security assessment.
Let’s assume that during testing, a defect was discovered, which consists in the absence of the HttpOnly security flag in the cookie with the user session identifier. The absence of this flag allows you to “steal” the user’s cookie using a cross-site scripting attack. In the context of the security assessment, this is clearly a defect and should be described in the final report. When conducting penetration testing, this defect will be taken into account only if with the help of it and in the aggregate.
Article written by Boris Jacob, Senior Quality Assurance Analyst at Risk Alive Analytics