Well, all these stories about security and hackers are somewhat elusive, vague, not urgent, and above all you don’t really know how it works, right?
You have a web application (website, mobile app) and you think about your data’s security, your users’ security and your own business security, but… you don’t embark on the adventure because you’re afraid it will take some time, right?
Then this article is for you.
What is a security audit?
If “security audit” or “penetration test” is all Chinese to you, then I kindly suggest you read this article we published some time ago:
“What is a web penetration test?”
Now that you know what it is: How does it work?
Planning a security audit is easy!
Performing a penetration test on your web platform will not take up so much time of yours.
In fact, once the scope of the security audit has been defined, you will almost just have to wait until the test is finished. You will receive the detailed report, along with a presentation.
Preparing everything will take more or less 2 hours, for the following tasks:
- Agreeing on the scope of the tests
- Providing tests accounts, if deemed necessary
- Managing all administrative aspects (contract, tests authorization)
- Informing the hosting company
Scope of the tests
Performing a full security audit is definitely a better choice! That’s why one of the first steps is to list the different elements you want to test, to make sure we don’t leave anything out:
- administration interface / back-office
- iphone, android apps
- webservices, APIs…
That first step, in addition to help us making a correct price estimate, will allow you to ensure you don’t let anything aside. As an example, if ever you do not protect your mobile applications, they might be used to attack the rest of the platform!
Creating test accounts will allow several things:
Firstly, being able to locate data created during the tests, to clean/remove it once testing is complete. The cleaning can not always be done by the company performing the audit, depending on the type of application being tested.
Then, it is sometimes impossible for the company performing the audit to create accounts, for instance on an administrative interface. Providing these pre-created accounts will allow for more thorough testing.
Starting the security tests without going through the paperwork would be faster, but could lead to some problems. But don’t worry, only 2 documents are necessary, and are quite easy and quick to validate:
First, a written pentest authorization is needed before any test can be performed on your web application. That authorization must be signed by the person having the appropriate powers in your company (usually someone on the board of the company).
It is the law, nothing more than that. No authorization, no test.
Second document: the contract.
As with any professional service, there is a service contract (including an insurance), between you and the pentesting company.
Informing the hosting company
It is necessary to make the hosting company aware of the tests.
If this step is skipped, some alarms will be triggered in the hosting company’s systems and the tests might encounter some troubles (and us by the way).
More broadly, hosting companies impose some constraints for the tests, for security reasons related to their infrastructure.