EXTRA WEB APPLICATION PENTESTING
The Process Explained from Start to Finish Organizations are increasingly looking to “webify” services and applications they provide to both employees and customers. Given the threat landscape, the need to test web applications to ensure that these services and applications are truly secure has never been greater. It is common for the ratio of web application developers to professional security testers to be more than 100:1 in medium to large organizations.
W
hile teams of web application developers create applications faster than ever before, it’s unrealistic to think that far fewer security testers can just as quickly test the security of these applications as they are created.
place – e.g. no DoS tests, no credentials supplied but bruteforcing of credentials is acceptable, etc. When measuring the security posture of web applications, testers should determine if DNS poisoning is an acceptable part of the test. If an attacker can
Automation and Scope: Key Elements for a Successful Test
To keep pace, it’s critical that security testers maximize available time to test web applications. They can do this with automation and scope. Automation in this case refers to the use of automated tools and solutions to help decrease the amount of time spent looking for security issues – especially those that can be found using automated processes. If a security tester, for example, has only a couple of days to test and report on the security posture of a web application, the tester needs to ensure that manual efforts are only devoted to areas of the web application that deserve manual attention. It would be highly inefficient for the tester to spend a third of his or her time simply crawling the application and recording all of the unique URLs associated with the application. Scope, on the other hand, determines the boundaries of web application security posture testing. This can be as simple as defining what URLs are in scope for testing or as detailed as the type of testing that can take EXTRA 04/2011(4)
Figure 1. The Ciso Diaries
Page 18
http://pentestmag.com