Penetration Testing of Applications is a hybrid security test that aims to uncover security vulnerabilities at the application layer. Popular types of vulnerabilities discovered include SQL injection, XSS and CSRF vulnerabilities. This type of test has a high manual component, approximately 70%, and the testers build custom threat profiles to discover contextual security vulnerabilities that are specific to the application.
App level assessments are categorized into two distinct classes:
- 1. Web application assessments. Those that are presented through a browser by a web server. Our methodology for assessing web applications is closely aligned to industry accepted OWASP (Open Web Application Security Project).
- 2. Thick client server applications. Those that present some sort of application through installation or execution.
Both types of assessments will follow the following high level methodology:
Figure: Application Level Assessment Approach
Application assessments are commonly performed from the perspective of one or more of the following scenarios:
- 1. No knowledge. Commonly referred to as black box testing, this simulates an attacker without any knowledge of the application or its associated environment.
- 2. Some knowledge. Commonly referred to as grey box testing, here we simulate an attacker with some knowledge (perhaps an application user, and / or someone with knowledge about how the application works).
- 3. Full knowledge. Using a white box testing approach, this simulates an attacker with full knowledge about the application, associated environment, and with access to the source code (perhaps a disgruntled application developer).
MANUAL SOURCE CODE REVIEW METHODOLOGY
Our hybrid approach to code reviews blends automated tools with human intelligence. We use proprietary scripts that can be customized and extended for each application.
The benefits of the hybrid approach include:
- Zero false positives as human intelligence is used to verify each finding
- Very high efficiency as automated scripts are used to zoom into suspicious code
- Ability to detect business logic security flaws, including custom backdoors
- Customize the scripts specifically for the programming styles used
- Greater coverage by using automated scripts to analyze the entire code base