Learn how web application pen tests are conducted
CISSP, CISA, QSA, PA-QSA
What is a web application pen test?An application web penetration test is an assessment of the security of the code and use of software/libraries on which the application runs. Pen testers are security analysts that will look for vulnerabilities in a web app such as:
- Injection vulnerabilities
- Broken authentication
- Broken authorization
- Improper error handling
What’s the difference between an application pen test and a network penetration test?
Despite what you may think, there is a significant difference between these two types of penetration tests. Network penetration tests focus on the design, implementation, and maintenance of a network. It also looks at the services hosted on it. A web application pen test focuses more on apps and security surrounding them, such as coding flaws and insecure use of software.
SEE ALSO: Different Types of Penetration Tests for Your Business Needs
Why get an application pen test?Your developers aren’t perfect, and the applications you use likely have security vulnerabilities. A developer’s job is to build an application that performs a function. Vulnerabilities can often be introduced into the application through poor coding practices lack of authentication, etc.
Even if you are up to date on software patches and security, cybercriminals are constantly evolving their methods. Penetration testing can ensure your web applications aren’t vulnerable to attacks, and they help you avoid compromise.
You should also remember that penetration tests are often required by mandates like PCI DSS and HIPAA.
Which applications should be tested?Should you test every web application that your business uses? Probably not. What you do need to test is any application written by or specifically for your organization that transmits sensitive data.
Performing an application penetration testThere are four stages to manual penetration testing
- Identify Issues
- Exploit issues
This is an overall view of the application’s functionality. At this point the pen tester is familiarizing themselves with the application.
This is where the pen tester looks for vulnerabilities. Some questions they may ask themselves are:
- What does the request do?
- What shouldn’t the request do?
- How are errors handled?
- Is user input sanitized or validated?
Through these questions, the pen tester can find potential security vulnerabilities in the web application and its underlying software.
This is where the pen tester tries to see how serious the issues are. They determine the actual impact the issue may make on the web application’s security. Essentially, they try to hack the web application through the issues they’ve identified.
This is the final step, and it’s where the pen tester sends a report of the findings. This is the only deliverable and it’s important it’s done right. Otherwise post-test action on the findings would be difficult.
Pen testers should document for each issue:
- What it is
- Where it is
- What is the impact
- How to remediate it
Evaluating pen test providersThere are many service providers that offer penetration tests, but not all are created equal. When choosing your provider, you’ll want to keep a few things in mind. Here are some questions you should ask them before you sign on the dotted line:
- Do the penetration testers have experience relevant to your environment?
- Are they certified?
- Do they have client referrals?
- What experience do they have with your security standard?
- How long have they been pen testing? Look for a seasoned vet.
Remember, a penetration test can help you find potential security problems, and help you prevent your business from getting compromised. They are worth the cost.
Need a penetration test? Talk to us!
George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.