In an interconnected world of today, security testing is an integral part of the software development lifecycle. Almost 80% of vulnerabilities on the web are application-related; as security attacks get more sophisticated, ensuring the application security and the integrity of user sensitive data becomes paramount.
Research, planning, design, development, testing, deployment, and, finally, maintenance are the typical SDLC stages. Testing the application and making sure it meets the specifications and complies with standards, is usually a fifth, pre-deployment stage of the software development lifecycle - although the current trend is to go through every SDLC stage with security in mind.
The goal of testing is to uncover the flaws and deficiencies and see if the app you have built operates as expected. As such, testing is part of a software quality assurance procedure and requires a specific set of knowledge and skills. Fixing the uncovered vulnerabilities is also an integral part of the SDLC testing stage.
Typically, application security testing covers all layers of the application - from app infrastructure to network and database. All in all, software testing techniques can be subdivided into several categories:
- Vulnerability scanning - a specialised software performs automated scan aimed at detecting any potential loopholes in application security. This quick scan may yet overlook essential details and has to be complemented by other methods.
- Security scanning - manual or automated tests targeting system and network vulnerabilities. An app runs on top of the infrastructure, and its flaws may negatively impact app security and performance.
- Security audit - line-by-line manual or automated code review was done to pinpoint flaws that may threaten application security. A thorough procedure aimed to discover flaws that may otherwise appear not so evident.
- Risk assessment - an in-depth examination of company operations and processes for potential security hazards. Can anyone in your organisation unknowingly open pathways to perpetrators? Are all the processes completely secure?
- Penetration testing, a.k.a pentest - simulation of a hacker attack to expose application flaws and vulnerabilities. This testing method reveals what will happen if a hacker chooses to attack.
In this article, we will focus on penetration testing, its stages and methods, and explore how to integrate it into your SDLC.
As said above, penetration testing, also known as ethical hacking, exposes the application vulnerabilities and directly demonstrates the negative consequences a potential security breach could have. Recommended specifically for systems that store and process classified and sensitive data, pentests deliver clear guidance on how to eliminate app security flaws and defects.
How do you know when pentesting is a must? If an app you're building will belong in a business segment where it needs sensitive customer data (i.e. social security numbers, credit card, medical and legal info, etc.) to operate, you can’t afford to disregard penetration testing. Pentest of fintech apps, for example, is a mandatory procedure required to meet compliance demands. Government infrastructures are also frequent targets of malicious attacks.
The recent cybercrime statistics reveal an alarming picture: 25,7% of malicious attacks in 2018 targeted banking and financial companies. The aim of these attacks was credit card fraud, stealing client credentials, and infecting organisation’s infrastructure with malicious apps. Law firms and certified public accountants often fell victim to ransomware (22,4%). The other popular targets of ransomware attacks were software companies and healthcare organisations.
5 Stages of Pentesting
When it comes to web application security, penetration testing may simulate the attack on various application systems: frontend and backend servers, APIs, etc. The information on vulnerabilities uncovered during the penetration test is then subdivided into categories according to the severity of threats. It can be further used to tweak web application firewall settings and improve security policies. All in all, the pentest process comprises five consecutive stages:
1. Investigation and planning
This preparatory stage involves defining test goals and methods as well as the application systems to be targeted by the simulated attack. Gathering information on network characteristics, domain names, and mail servers also take place at this pentest stage.
2. Scanning
In the second stage, testers are examining how the application is likely to respond to an attack. This pentest phase will involve examining the application code in a static and dynamic state. The static analysis is to understand how the application will behave while running and is done using tools that scan the entire app code at once. The dynamic analysis scans the app in a running state to see how its code works in real-time.
3. Gaining access
At this stage, the actual intrusion takes place. Testers use attack methods like backdoors, cross-site scripting, and SQL injections to gain unauthorised access and try to cause as much harm as they can - steal data, intercept web traffic or gain advanced user privileges. More specifically:
- Backdoor is a malware installed in an application system prying it open to data theft, DDoS attacks, server hijacking, and advanced persistent threats.
- Cross-site scripting (XXS) is injecting a portion of malicious code into an application on the web. Its target is the app users: their personal accounts may be hacked, content altered to cheat into surrendering their private data, trojans activated, etc.
- Structured Query Language (SQL) injections, i.e., injecting malicious code into backend application databases, can reveal user lists, delete entire tables and enable hackers to get administrative rights, which means they can view customers’ personal details including credit card information.
All the attacks mentioned above can cause severe financial and reputational damage and should be avoided at all costs.
4. Maintaining access
Upon gaining access, testers aim to see how long they can maintain it while remaining undetected. Long-term presence in the infected system means intruders can stay there for months. Advanced persistent threats (APTs) enable perpetrators to mine sensitive customer and organisation data by residing within a system for a long time. Successful ATPs, usually undertaken on large enterprises and government organisations, can bear serious consequences. The theft of personal data, intellectual property, website defacements, and infrastructure damage are just some of the examples of the negative impact of advanced persistent threats.
5. Reporting and analysis
At the final stage, the results of the pentesting are assembled into a detailed report containing the complete list of exploited vulnerabilities, accessed data, and the account on time spent undetected within the system. This document is, essentially, a cornerstone of healthier and more robust app security you will build after eliminating the flaws and defects in your current system.
5 Methods of Pentest
There are five methods for penetration testing of applications. All of them are highly profoundly and reveal useful information on application defects and vulnerabilities, as well as the gaps in the skills and expertise of your security team. These mutually complementary approaches will help you build a reliable app security system and enhance your team attack detection skills.
1. External testing
This pentest method targets the frontend part of the application and aims to gain as much access as possible by using the application elements which can be accessed externally.
2. Internal attack
This method simulates an attack on an application from inside its firewall. In real life, such attacks are far from rare: perpetrators may steal your employee credential during a malicious attack and thus gain unauthorised access.
3. Blind testing
The blind test simulates the situation when all the intruder knows is the organisation or an enterprise name. This pentest method shows the security professionals that a real-life attack on an application would look like.
4. Double-blind testing
This method is inherently similar to blind testing; only this time, the security team is also unaware that the attack is underway. Double-blind testing helps uncover the security system weak spots and the knowledge gaps of the security team by imitating a real-life situation when intruders attack without warning.
5. Targeted testing
During targeted penetration testing, testers and the security pros work hand-in-hand and notify each other about their actions. This penetration method is a highly effective means of learning how exactly the intrusion attempt looks like from the perpetrator’s standpoint.
As a part of your software development lifecycle, penetration testing is an important step that provides you with direct evidence on how your app will behave during the real-life, malicious attack. The test, and, further, the report generated based on its findings, will help you eliminate application defects and build an effective and resilient security system. One way or the other, it always makes sense to apply several pentest methods: the information one method could unveil may not be accessible via another method.
Also, pentesting alone is not a panacea for all app security issues. In business software development, penetration testing works best combined with other approaches:
- Static testing: automated testing scanning the application code for flaws and vulnerabilities;
- Dynamic testing: an audit of an application in a running state to see how it responds to various inputs. A combination of testing approaches should ensure no weak spot or defect goes undetected.
But, do I need to use a pentest if I use other means of protecting security? I’ve reached out to Philippe Peron, Chief Delivery Officer at a UK-based software house Evolve that provides cybersecurity consultancy and pentesting to other businesses.
If you are unsure you should include penetration testing into your SDLC, consider the following points:
1. Does the web application firewall (WAP) ensure its integrity?
It may be set up to withstand external attacks, but how well will it protect your app during the actual intrusion? A penetration test will give you a live account on how your WAP functions when a hacker tries to break in.
2. Are you taking into account unknown threats as you build your app security?
Most of the tools and methods applied to ensure app security target known threats. Pentesters, on the other hand, are trained to think out of the box and come up with new, original attack methods. Just like real-life hackers, for that matter.
3. What if your app suffers multiple attacks simultaneously?
It may be resistant to a standalone attack, but a massive attack campaign could break its defenses. Penetration testers use a combination of various attack methods (SQL injections, DDoS attacks, XXS, backdoors, and more) to uncover even the slightest vulnerabilities in your app security.
4. Am I ready to take financial risks and compromise company reputation?
As recent stats reveal, companies across the USA spend almost $27 million annually on cybercrime-related issues. On a global scale, only 38% of organisations say they are 100% protected from cyberattacks, and the estimated harm of worldwide cybercrime is expected to exceed $150 million.
Admittedly, the pentest procedure may extend time-to-market, but given the financial and reputational risks involved, the delay may be well justified. Ultimately, integrating pentesting into your software development lifecycle is a working proof of your dedication to protecting user data and maintaining high-security standards.