By David Parsons | Security Consultant at LRQA Nettitude

With the improvements of vulnerability scanners and the ever-increasing proficiency of software such as WAFs and Intrusion Detection Systems, you may be asking yourself whether Penetration Testing is still a relevant way to ensure the security of your website. The following article discusses several proactive security considerations you should make when either creating, or maintaining a website and how Penetration Testing can be useful in this process.

1. Secure Software Development Lifecycle (SSDLC)

Following a Secure Software Development Lifecycle prior to the deployment of your website is a crucial first step in ensuring its security and reducing risk. This means thinking about the security requirements of your website alongside the functionality of it at all stages of the design process. This can be achieved through thorough planning, regular website Penetration Testing and code reviews. This can be highly cost effective due to the early detection and resolution of security issues.

The secure Software Development Cycle is a significant concept utilised when engineering software and tends to follow at least five phases:

• Requirements
• Architecture and Design
• Implementation
• Verification
• Release and Maintenance
  

Requirements Phase

The requirements phase is the ‘what’ and ‘how’. What is the user and functional requirements of the website and how will this be implemented? At this point, it is advisable to plan what your website should not do in relation to security in an attempt to mitigate any potential attacks a malicious actor may devise. For example, is there a requirement to store Personally Identifiable Information (PII)? If not, any functionality that could capture should be avoided and, if so, what measures are going to be put in place to protect it?

The architecture phase of the SSDLC is where high-level design decisions are made such as what the system will do when it is functional and decisions relating to efficiency, performance and security are considered. When designing software, most research suggests that detecting and addressing security issues at this early stage of the SSDLC can avoid threats that may pose a security risk to the website in the future. At this point, using secure frameworks or consulting with a Pen Testing company such as Nettitude can reduce the risk of compromise further down the line.

Implementation Phase

The implementation phase is where the coding for the website will occur in the programming language of choice. Frequent code reviews should take place and any potential security concerns identified and analysed. This process can be automated, or a security consultant employed to manually review the code and identify any inherent security flaws.

Verification Phase

The verification phase occurs when the website is tested for both functionality and security. Regular website Pen Tests can be conducted at this point in an effort to identify common web application vulnerabilities or any additional security concerns. Security testing is different from functionality testing in that it is abstract and designed to make your site perform actions perhaps never envisaged in the design phase. This is why it is helpful to employ security consultants at all stages of the SSDLC. It is also imperative at this point that there is someone who can implement any fixes or patches to the vulnerabilities identified by your security consultant.

Release and Maintenance

The final phase of the SSDLC is to release the solution and continue its maintenance. Here regular Pen Testing should be an ongoing process to identify security vulnerabilities and provide assurance to the users of your website and any other interested parties. Security research and vulnerability identification is an ongoing process. A website that is not regularly maintained and updated may miss out on vital security patches or be hosted on a vulnerable web server. Ongoing website penetration testing will identify these issues in the future and help inform patch management solutions going forward as the functionality of the application may remain the same, but its security posture likely will not.

2. Principles of least privilege

The principle of least privilege is critical when ensuring the security of your website. By nature, the principles of least privilege advise that your website users, whether that be members of the public or employees performing administrative actions, are only given the necessary level of privilege for their role. Fine grain user controls should have been planned during the SSDLC and website Pen Tests will attempt to bypass any access control implemented on your website. An example of an un-envisioned consequence of not following the principles of least privilege could be as follows:

1. 1. 1. A malicious user finds and exploits a vulnerability on a page that is submitted to, and must be approved by an authorised user.
      2. The authorised user, not using an account that follows the principles of least privilege, logs in with an administrative account and browses to the vulnerable page.
      3. The administrative users inadvertently trigger a malicious payload and the details of their session are sent to the attacker.
      4. The malicious user can then log into the application with the administrator’s session information and potentially affect the integrity, confidentiality or authenticity of the data stored by the website.

The above scenario is one that happens all too often, instead of having accounts that are finely controlled to perform specific tasks, administrative accounts with full access are provisioned to users who do not always need them. Regular website Penetration Testing will not only look to uncover the initial vulnerability in this scenario, but also the way that user sessions are implemented and whether the fine-grained access controlled to implement the principle of least privilege are working effectively.

3. Multi Factor Authentication (MFA)

MFA is intended to mitigate single point security failures and add an extra layer of protection for users. By adding a secondary method of authentication, such as an email or SMS verification token, a piece of physical hardware or an authenticator application, an attacker is less likely to be able to compromise an account should they obtain valid authentication credentials. In principle, MFA sounds like a no brainer, and Microsoft themselves state that 99% of data breaches would not have occurred if it was implemented instead of single factor authentication.

Issues generally arise with the usability and implementation of MFA and this is where website Penetration Testing can really evaluate the effectiveness of your solution. As an example, Nettitude have found instances in the past where it is possible to completely bypass a custom implemented MFA solution by merely skipping ahead to the URL of the successful stage of the login process. Other issues can arise when users or developers rely on MFA instead of implementing strong passwords, as the majority of users are only likely to implement a strong password when told to do so. This can allow a lower barrier to entry and website penetration testing will evaluate your implemented password policy against industry standards and detail any improvements that can be implemented.

4. Web Application Firewalls (WAF) and Intrusion Prevention systems (IPS)

WAF’s are widely used to mitigate common security threats such as SQL injection and analyse the syntactic input of a user. Should they match common malicious signatures, the HTTP request is dropped and exploitation is prevented. The significant issue here is that your website is relying on the effectiveness of your WAF, and could potentially have exploitable vulnerabilities built into the code. Should a malicious user ever bypass your WAF, and with techniques such as machine learning, some tools are extremely effective at this, then you have the potential for compromise. This testing can help in several ways:

1. 1. 1. By Whitelisting your Pen Testing Company on the WAF, vulnerabilities can be identified within your web application that can be remediated, mitigating the risk should your WAF be bypassed.
      2. A thorough code review of your web application can be conducted in an effort to identify security risks prior to deployment.
      3. A Pen Test can try and bypass the WAF, in addition to trying to bypass security measures such as IP whitelisting or input filtering

An IPS is an automated tool that is designed to identify, and stop, any attempted intrusion into your network. Part of the problem with an IPS can sometimes be the sheer scale of traffic, or the numerous paths allowed through a network, potentially bypassing the IPS altogether. False positives and false negatives can also become an issue with an IPS and as rules are relaxed to prevent any network performance issues, attacks can potentially bypass them. A website Penetration Test can test the implementation of an IPS, and also the use of logging and monitoring within a network. If you cannot fully observe the impact of a penetration test, a motivated attacker with infinitely more time is likely to be able to bypass it successfully.

5. Open Source Software Considerations

There are several open source solutions you can choose when planning to produce a website and WordPress is the most popular. You may wonder whether it is necessary to conduct WordPress Penetration Testing and the answer is usually a yes. Using open Source Software can reduce both development costs and deployment time, but also means that the code may be under greater scrutiny from attackers as it is public. This is a double-edged sword as while WordPress sites may be more targeted, it also allows security researchers the ability to regularly review the official code for potential issues. A WordPress Pen Test can look for vulnerable plugins (the cause of over 50% of attacks made on WordPress websites) or themes in use and identify common misconfigurations, such as leaving the default admin account in place and not protecting it with MFA. Whilst your site may be purely informational in nature and not hold any form of PII data, having an attacker potentially defacing your corporate website should be reason enough to ensure that your chosen implementation is secure and a WordPress Pen Test can offer some reassurance in this sense.

6. Regular Pen Testing

As previously mentioned when discussing the SSDLC, regular penetration testing can be a cost-effective way of identifying and remediating vulnerabilities during the development lifecycle. After your website has been published for the world to use, regular Pen Testing continues to offer assurance to both customers and third parties that your company takes security seriously and your website is less likely to be at risk from any malicious agents. Furthermore, in 2017, over 14,500 vulnerabilities were published and in 2018, there were over 16,400. As security researchers continue to find vulnerabilities at a startling rate, regular website Pen Testing can identify unpatched or vulnerable software before it is exploited by an attacker.

In some cases, Nettitude Security Consultants have identified CVE’s in other vendor’s product during an engagement, showing that vulnerability scanning that relies on known vulnerabilities is not a replacement for a good penetration test. One further point to consider is that a penetration test is a point in time engagement, should a CVE for a piece of software you use be released the day after your penetration test is completed, it won’t be in your report. The implementation of a good software patching management strategy is as vital as a penetration test itself and this is something that is often highlighted, and can be advised upon during the course of a website Penetration Test.

So Who Should Conduct my Pen Test?

Can I just google “Pen Test website” or “WordPress Pen Test online” and go with the cheapest? You could, but anyone with a computer and an internet connection could potentially be moonlighting as a penetration testing company, even attackers. To ensure your website Penetration Test is conducted by a reputable company, you can view the suppliers supported by the organisation CREST. CREST is an international not-for-profit accreditation and certification body that offers assurance when looking for a company to provide your testing. All CREST registered companies, such as LRQA Nettitude, have supplied evidence that their security consultants are professional, highly skilled and technically proficient. They also have policies and procedures in place to ensure that your data will be protected at all times, a technical methodology will be followed and you will be supplied with a highly technical report that details the remediation methods required to secure your website.

Find out more about how to secure your web application with Penetration Testing