It is generally accepted within the information security world that penetration testing is a good way to provide assurance as to the security of applications or infrastructures. With numerous companies offering these testing services, how do you differentiate and evaluate which company uses the best approach for your organisation?
At Dionach we perform a large number of penetration tests on an annual basis. A reasonable proportion of our tests are focused on web facing applications. These range from simple, brochure type sites to complex interactive applications with multiple servers and data sources.
So how do we differentiate between a static web application and interactive web application, and more importantly, how do we determine what level of testing should be recommended to a client? In the first instance, we need to understand what the application does, what type of information it contains or relies on and arguably the most important point, what risk does it pose to the organisation? Only when we understand what an acceptable level of risk is, can we determine what level of testing is appropriate.
Dionach rely on our scoping process to provide valuable information as to what the test should focus on from a clients’ perspective. It is no longer sufficient to assume that every application or new piece of infrastructure should be tested from a blackbox perspective alone. This would also be true of running a vulnerability assessment of all web applications.
In the determining the risk associated with an application, the following should be considered:
- Why is the application there?
- What is its primary function?
- What information does it rely on?
- How does it obtain that information?
- How does the application interact with the corporate infrastructure?
- What are the clients’ objectives when conducting the testing?
- What are the perceived risks of the client and how do they evaluate risk?
Only when the above are understood, can you fully determine what level of testing is appropriate to that application. There is little point in going to the expense of testing something without any context of the risk associated with it. Not only does this mean that websites may be tested unnecessarily or too frequently, a greater concern would be a lack of testing or the wrong level of testing, potentially leaving the application and the client vulnerable to attack.
Understanding and appreciation of informational risk is a critical aspect of development. If a correct risk methodology is applied to the application and infrastructure, and an appropriate level of testing is conducted, the likelihood of a significant breach occurring is vastly reduced.