Security is essential, and you agree with that. You want indeed to do a penetration test (or pen test) on your solution soon… Here are 7 questions to help you get the most out of a penetration test.
1 – Is it Better to Test the Production or Pre-production?
Running a penetration test on your production environment has a sure advantage: being conducted under actual conditions of use of your website/ web application/ API/… with the last developments set up.
However, testing the production environment can in some rare cases interfere with the normal running of your business. To avoid any risks, it is possible to realise the penetration test in an iso-production environment, an absolutely identical environment to the production environment.
Doing a penetration test on the pre-production environment is also interesting, as it is very similar to the final environment. Tests will not touch services used by your users/customers. This is particularly appropriate for critical infrastructure, for which the data or system integrity is crucial.
Finally, the important is to test the entirety of your online environment, as some environments -other than production- are accessible from internet. Those platforms can be vulnerable. They can give technical information about the production environment, lead towards elements of the production or even having flaws due to a wrong configuration.
2 – Doing a Penetration Test before the End of Project Development, is it Useful?
Wanting to do a penetration test during the development of a web application makes possible to have a first feedback. Correcting flaws in the early stage is easier and takes less time (and is then less expensive) as once the service is deployed. A first pen test provides a sound basis and the project keep growing in the right direction.
Moreover, with the constant functionality evolution, we can hardly say that a project is “finished”. There will always be updates or patch to install, functionalities to add, changes in the development technologies, etc.
It is recommended to run a penetration test at least for each new version or main new modification of your solution.
3 – Is Penetration Test Run on Server Configuration or only on the Code?
A penetration test challenges your web application (PC or mobile), the server configuration, webservices, API, and more generally every service accessible online. Depending on your specific needs, a test scope is defined with your provider.
At Vaadata, we are specialised in the applicative layer, where are located most potential threats at the present time. We also test server configuration.
4 – Are DoS attacks Conducted during a Pen Test?
Yes, but not on Friday (Vaadata internal policy 😉 )
More seriously, it is totally technically possible to test the resistance to DoS attack during a pen test. Depending on your demand and your needs, DoS attacks will be conducted or not.
5 – Which Technologies are Tested?
PHP, Java, Ruby, Python, C#, NodeJS… Languages are different, but logic vulnerabilities are found everywhere. Logic flaws are related to the conception of web applications, independently of the technology used. For example, problems of control of rights or XSS flaws (cross-site scripting) can be found with each technology of development.
Concerning vulnerabilities specific to a framework or a language (MySQL Injection ; MongoDB Injection…), being a pentester (security consultant) is a work that requires to know many languages, in order to test them.
6 – Who does the Corrections of the Flaws Found?
Developer and pentester are two different jobs. When a penetration test is realised, flaws are documented by pentesters in a report (where the flaws were found, how they can be exploited…). This report includes recommendations on how to correct flaws, but pentesters do not do it themselves.
Developers know indeed already the project. They will be then faster and more efficient to do the needed corrections as if a pentester foreign to the project had to get into the project (and the development environment), understand the logic used, etc.
7 – Are the Corrections Verified?
It is interesting to verify that corrections are full and correct for each vulnerability. A check allows, moreover, to control that the corrections didn’t cause any side effect, i.e. negative consequences creating new flaws. Vaadata offers this remediation validation phase.
A penetration test has a cost, but to see as an investment aiming to avoid damages from a real attack, with losses sometimes hard to measure for data loss, image degradation, ranking dropping, …
A pen test is a component of a global security strategy. This strategy has to be thought and planned according to each situation.