This article is for those who have had to deal with security issues with their web resources and applications, but who do not have a clear idea of how these tests are performed in practice.
There can be many reasons why you want to run a security test, such as:
- Following a cyber attack or its attempt;
- In the presence of a corporate network or web application that has been tested for security for a long time or has not been performed at all;
- After adding new features to an existing product;
- With a significant change in the topology of the corporate network;
- When migrating an application from a test environment to a production environment;
- Subject to the requirements of industry standards (PCI DSS, HIPAA).
However, it is much easier to determine how necessary it is to perform security testing. Generally speaking, the formula looks like this: if you have “something” it stores or processes important data accessible from the Internet, then a security test is in order!
Important data here refers to any valuable information – personal user data, payment card data, company accounts, etc. Even if the web application does not store or process any important data, reputation losses cannot be recouped. For example, if the site is hacked and instead of the company logo on the main page a competitor’s logo is placed, it will have a negative impact on the company.
So, with all the awareness of the importance of performing safety testing, what to do next? How do you decide what kind of security testing you need? It’s great to have requirements for a system security audit, formulated by an external auditor, for example. In this case, it is quite easy to determine the list of test activities.
But what if there are no security requirements, but it is necessary to check it? Often people come to test companies with the following request: “I have a website / network, I want to test security!” “
Then specialists need to clarify the details of the request, which sometimes takes several days. It is much easier to formulate a detailed request at first, which saves valuable time. We will explain below how you can detail your security testing needs.
Usually, the type of safety test required can be determined by several criteria:
- The purpose of the test;
- System data that can be provided to auditors;
- The entry point in the system (relevant only for testing local networks).
Penetration testing and vulnerability assessment
Based on the objectives, security testing is divided into two types: penetration testing and vulnerability assessment.
The goal of penetration testing is clear from the name itself. Here, the task of testers is to try to penetrate the internal infrastructure of a web application, take control of internal servers, or gain access to important information. At the same time, the testers simulate the possible actions of real hackers. Defects found during testing, as well as the test methods themselves, play no role.
The result of such a test is either to obtain unauthorized access or to assert that such access could not be obtained in the current state of the system. Penetration tests take less time than a security assessment and can reveal the effectiveness of your protective measures against external threats.
So, if the bottom line is whether the danger of a real hack by attackers is great, then penetration testing is your option.
In turn, the Security assessment involves the most comprehensive and extensive system verification. Its primary purpose is not to gain access, but to identify configuration flaws and vulnerabilities that can potentially lead to unauthorized access or compromise system users. All faults detected during the safety assessment are classified according to their level of risk and the degree of impact on the safety of the entire system. Exploitation of the vulnerabilities found is generally not carried out or is carried out by agreement of the parties.
Safety assessments are time consuming and are often performed only in accordance with the requirements of various industry standards.
Consider a small practical example that clearly demonstrates the difference between penetration testing and security assessment.
Suppose that during testing, a flaw was discovered, which consists of the absence of the HttpOnly security flag in the cookie with the user session identifier. The absence of this flag allows you to “steal” the user’s cookie using a cross-site scripting attack. In the context of the safety assessment, this is clearly a defect and should be described in the final report. When performing penetration tests, this fault will only be taken into account if it is using it and in the assembly.
Article written by Boris Jacob, Senior Quality Assurance Analyst at Risk Alive Analytics