A lot of times in security, there are differences in understanding between clients and service providers. Miscommunications often relate to the terms being used and sometimes, it’s unclear what services are even being offered. This problem is exacerbated now that we are in a time where the field of “information security” or “cybersecurity” is relatively young and immature, but it has been thrust into the mainstream, with compliance requirements and news about data breaches. It makes shopping for a security services provider extremely difficult because it can be hard to understand what exactly you are getting for your investment. Particularly with a web application penetration test, we get a ton of questions and confusion around what an assessment looks like. With that in mind, let’s try and cover what exactly a web application penetration test is and what it includes.
So what is it?
The Open Web Application Security Project (OWASP) is the primary authority on application security. They describe a web application security test as:
“A security test is a method of evaluating the security of a computer system or network by methodically validating and verifying the effectiveness of application security controls. A web application security test focuses only on evaluating the security of a web application. The process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.”
In simpler terms, a web application penetration test identifies any vulnerabilities in your web application and assesses the impact of those vulnerabilities through exploitation attempts. A penetration test goes above and beyond a simple vulnerability scan, as we’ve explained here. This process is going to show you what weaknesses are the most significant from the perspective of an attacker, which will subsequently help your organization evaluate where to allocate resources (time, budget, etc.).
What questions does it answer?
Most organization’s perform web application testing that utilizes the OWASP Penetration Testing Guide or some form of it, including Triaxiom. This type of testing is going to include both an unauthenticated and authenticated analysis of the targeted web application(s) using all of the different user roles that are available. Additionally, most organizations (but definitely not all) will include network-level testing for vulnerabilities on the host server that could negatively affect the security of the application (e.g. a PHPMyAdmin login on accessible on a separate port on that host server). Some questions that this test will answer include:
- What sensitive data can a hacker access within the application if they don’t have an account?
- Can one application user see or modify the data of another application user?
- Is a low-level user able access sensitive data or perform privileged functions they shouldn’t have access to?
- Can an attacker gain control over your application server through the application?
- Can an attacker or malicious individual use your application as an entry point to your internal network?
- Is our web application infrastructure vulnerable?
- Is our code vulnerable? Or can attackers manipulate the website or back-end database by injecting malicious code?
We’ve covered our methodology and phases of test in more detail, but for now it’s important to get everyone on the same page with a high-level understanding of what a web application penetration test means. Hopefully, it will be for you easier to compare quotes in the future by having a level set of expectations and a baseline of terminology.