When developing a website or an application, security testing is one of the most important part, as having a secure and trustworthy software is what any user is looking for. When it comes to choosing the best approach in security testing, there are two widely used approaches: vulnerability assessment or penetration testing. The choice between them must be based on the costumer’s value proposition and expectations.
The constant growth of the internet and the breakthrough of the internet of things comes with a lot of security risks. Assessing them means find, investigate, report and evaluate them in the tested application. The question is how would you manage to cover them all? And the answer is: you don’t! A big part of the vulnerabilities have been fixed or patched a long time ago. There are also constraints that need to be added: the resources used by the application ( Web server type, operating system, database type, etc.) and the technologies used for developing the application (.NET, Java, PHP, frameworks, etc.). Other factors could be the available time and budget. All of this could be seen as filters that narrows the coverage that need to be done in order to find breaches.
When running a vulnerability assessment process, all the components of the application have to be investigated, unless the client imposes certain constraints (usually depending on the resources and the purpose of the application).
Here is a list of the most commonly investigated components:
- authentication section;
- authorisation validation, roles and permissions;
- session validation, cookies;
- transport layers;
- data validation, back-end front-end;
- E-commerce specific functionality;
- error handling;
- business logic validation;
- denial of service;
- gathering the sensitive information that was leaked towards the public on the web.
For each of these components a tester should try out specific type of vulnerabilities, document and report them to the customer.
This approach is more like a hacker-like one, mainly because of the fact that a tester has to apply a strategic way of thinking, in the same way as a hacker would, in order to identify possible breaches in the system, which might result in the corruption of it.
When using the penetration testing method, the tester is not explicitly interested in reporting all the vulnerabilities found, but only those who are helping in the process of breaking the security of the system, no matter how important they seem independently.
A tester will use all his/her knowledge and creativity skills to prove to the customer that the application is presenting security risks, being open to attacks that could have strong impact on the system. Some examples of such breaches are:
- accessing the used database, viewing, modifying or deleting sensitive data
- access at the OS level
- denial of service
- download sensitive documents or other.
- permission escalation
Each one of these are representing a stage reached by the tester in his/her attempt to break the system. In the report handed to the costumer, he/she has to explain all the steps made in order to be in that particular stage.
Which approach to use
Usually, penetration testing is required for big applications, where security has already been taken into consideration from the beginning of the development process and the customer is hiring external testers, which might have a different view and therefore, might get more creative. The purpose would be to simulate a real attack and track the behaviour of the system and how the team maintaining it is able to respond.
Vulnerability assessment is a mandatory method for all applications that are launched, being able to assure the right level o security.
An efficient and cost-effective way of dealing with the security risks is to start it at the beginning of Software Development Life Cycle (SDLC), run the vulnerability assessment method in the final stages and then use the penetration testing approach.
Author: Andrei Pusoiu