The previous posts about the pen test lifecycle set the stage for conducting a security assessment. Now it’s time to perform the work. Doing that requires understanding the phases of penetration testing, the pentest framework, the pentest methodology.
In the testing phase, security experts analyze the target for weaknesses and flaws that might be turned into vulnerabilities. The previous stages of the pen test will have established a clear scope, identified the target environment, and set up credentials for the test. Even though testers should be self-sufficient at this point (and well versed in penetration testing methodologies / have a clear pentest standard) there are still ways to participate in this phase to ensure the test is successful.
A blackbox pen test is about assessing a target with little prior knowledge about it — but don’t let the testing itself be a blackbox.
Talk to the researchers. Make sure you are aligned on the penetration testing execution standard. You should already have confidence that the pen test team is skilled. This is a chance to understand their penetration testing methodology and penetration testing standards. It’s important, of course, for them to identify vulns. It’s equally important to build confidence that vulns are absent. Understanding what they’re doing helps build that confidence.
Include DevOps members, make them available to answer questions and provide support. This is also a way to shortcut an alerting process or debug situations if the app appears unstable. Seasoned pen testers understand how to conduct security reviews against production systems while minimizing the chances of an adverse event. Having direct communication between the DevOps team and testers makes it easier to determine or rule out when test activity led to an unstable app. Sometimes identifying when relatively simple requests can lead to significant negative impacts is an important finding.
2. Maintain Focus
Just as there can be scope creep when building an app, there may sometimes be scope creep when testing one. Sometimes this happens when the initial scoping exercise made incorrect assumptions about the app’s components, or neglected to include key parts of the architecture.
But there can also be situations where pen testers investigate a threat model that’s either already well-known or may prove fruitless due to mitigations they’re unaware of. This often comes up when reviewing vulns the testers submit. Even following an agreed upon penetration testing methodology, experienced pen testers can make informed decisions about the risk associated with a vuln, but they may not always understand the nuances of its business impact.
Sometimes a particular type of vuln may be pervasive. This typically happens with cross-site scripting and missing tokens that prevent cross-site request forgery. Rather than suffer through a deluge of individual vuln submissions, talk with the testers about the underlying architectural flaws they’re seeing. Then work with the DevOps team to revisit the app and improve the architecture so that the entire class of vuln is addressed.
3. Evaluate Monitoring
Most web app pen tests aren’t designed to be stealthy. (Those that are intended to be stealthy are more commonly referred to as Red Team exercises and have specific goals for compromise of systems or data.) Even so, do you have logging in place that can capture the pen test activity? Do you monitor those logs? What types of alerts are generated?
This is also true for the health of the app. It’s common for pen tests to run against production systems. Experienced pen testers will be careful not to intentionally impact availability or adversely affect the target. Alas, mistakes happen — whether due to a brittle app or unexpectedly intrusive test. Being able to monitor an app’s health is important during normal activity. It’s even more important during a pen test.
4. Prepare to Fix Vulnerabilities
In many ways, a pen test measures failure. The vulnerabilities that pen testers identify may be flaws in code or controls that failed to protect users or data. Whatever their cause, it’s important for app owners to discover vulns — preferably before the app reaches production.
It may be a measure of failure, but that doesn’t imply that blame is the expected outcome of a pen test. Sometimes a mistake is the security equivalent of a typo — a DevOps team member forgot a validation check, omitted a line of code, or misconfigured a system. A great way to counter those kinds of flaws is with automation that watches for common errors.
Other times a mistake may be due to misunderstanding a code base or lacking awareness of threat models. This is the chance to educate DevOps teams about security and provide them with coding patterns, libraries, and tools that make those vulns less likely to reappear.
A pentest lifecycle begins with aligning on penetration testing standards and a penetration testing framework. Understanding what went wrong is part of the reporting stage of the pen test lifecycle. In the upcoming posts we’ll explore how to use pen test results as a feedback loop to improve your app.
In case you missed the second step in the pen testing process. Here are 4 Tips to Successfully Kick Off a Pen Test.