Customers expect web applications to provide significant functionality and data access. Apart from the customer facing application, the internal web application is built using more commonly used business tools within any organization. Unfortunately, there is no "patch Tuesday" for custom web applications, so the historical data states that web application flaws play a major role in significant breaches and intrusions. Hackers mostly focus on these high value targets either by directly abusing internet hosted applications or by focusing on web application as targets after an initial break-in.
So to continuously improve enterprise security posture, effective testing strategies need to be developed, effective use of your personnel, most effective use of pen test results to remediate issues and improve processes. The goal of penetration testing is to accomplish business goals, not just check for random holes.
Key Performance Indicators of application penetration testing would include:
- From tactical perspective, penetration testing can determine how well organization’s security policies, controls and technologies are actually working. Pen tests should be aimed at more than discovering vulnerabilities.
- Identify the value of the application/data to determine the type of testing to be conducted. For information that's highly sensitive perform pen testing under much the same guidelines as PCI. Narrow the scope of pen testing during data discovery; determine which sensitive data is at risk and where it is. Define the scope that includes critical information assets and business transaction processing in short determine where "the real crown jewels" are.
- Develop attacker profiles, think like pen testers and act like real attackers. Work with business owners to define these profiles and find out what types of potential attackers they are most concerned about. During information gathering, identify devices, operating systems, applications, databases, etc. The more you know about a target and its connected systems, the better chance you have of breaking in.
Attackers can and will exploit different aspects of your IT infrastructure, individually or, frequently, in combination to get the data they are looking for. Thorough pen tests leverage any and all of these potential attack vectors, based on the attacker's end goal, rather than the vulnerability of each.
The rules of engagement may allow the pen testers to exploit vulnerabilities, but the briefing can be used to give stakeholders a heads up about what is the impact of the exploit.
Pen testing team should provide an executive summary, but the heart of your reporting should include detailed descriptions of the vulnerabilities team found, how you exploited them and what assets would be at risk if a real attack took place. The goal is to help improve security, for management to make decisions to improve business and help the operations team improve security. Make sure that each recommended remediation includes a warning that the solution is thoroughly tested before it is implemented in a production environment.
Penetration testing should not be a one-time exercise, and successive results should be compared. An internal team is in a better position to conduct regular testing. If your organization is large and distributed, come up with a process and create an environment in which information can be shared. Multi-stage penetration testing typically is a repeated cycle of reconnaissance, vulnerability assessment and exploitation, each step giving you the information to penetrate deeper into the network.
"Penetration testing is an art". Although there are tools and methodologies, you have to be creative in finding problems in target systems and applications.
Authored by Safia Naaz