By Adam Jeffreys | Managing Principal Security Consultant
Applications can come in all shapes and sizes. We use them every day when we browse the web and we may have hundreds on our phones, but they all have one thing in common; if they can be interacted with, they are potentially a target.
Just how targeted and by whom is going to be dependent on many factors such as whether the app is available publicly, as well as what sector your organisation works in. The combination of factors such as these will make your applications more or less likely to be targeted by specific threat groups, e.g. a disgruntled employee or organised crime. Understanding where your threat comes from is important for your business and typically all applications, even those such as a third-party hosted WordPress site, will likely have one or more associated threat groups. To stay proactive with security, application penetration testing can be used to identify vulnerabilities in your applications, determine likely threat groups, and help you understand your current risk.
If you are reading this, then you may already be familiar with app penetration testing as a recommendation for your business. This post will discuss the types of testing there are, what may be suitable for your specific situation and what the app pen testing service is at its core.
What options are there?
There are several different types of app penetration testing and deciding which one will be suitable for your application will depend on how it’s accessed and how it has been built. Typically, there are three common types of app pen testing which apply to the vast majority of situations.
Web Penetration Testing
Web application penetration testing follows a methodology suitable for evaluating vulnerabilities in applications utilising web technologies. If your application is accessible by a browser, this will likely be the type of testing appropriate for your situation. Web app penetration testing has been around for many years and has had extensive standards created to ensure a robust testing methodology is followed; this includes but is not limited to the Application Security Verification Standard designed by OWASP (Open Web Application Security Project).
Mobile App Penetration Testing
Mobile apps may seem similar in some respects. The use of certain technologies, such as an API, will often mean that most elements of the web application penetration testing methodology are still followed. However, the key difference is the way in which the application is accessed, which in this case, will be via an app installed on a mobile device. This slight difference opens up a whole new attack-surface for an attacker to explore so, as such, it’s important that it too is thoroughly evaluated for vulnerabilities and ultimately risks to the organisation and stakeholders. While this type of testing has not been around for as long as web penetration testing, it too has a well-established methodology, built to meet standards such as the OWASP Mobile Application Security Verification Standard (MASVS).
Thick Client Penetration Testing
Thick client applications are similar to mobile applications in the sense that they are typically installed on the device rather than accessed through your browser. However, instead of a mobile phone or tablet, the device will normally be a workstation or a server. Thick client applications come in many forms and depending on how they are built, the methodology can be somewhat different. Some, for example, may make use of an API in a similar fashion to a mobile app, however, not all will and so the approach taken to test these applications must be tailored to the situation. However, in all situations, the secure handling of data and all attack surfaces introduced by the thick client are evaluated for vulnerabilities.
How does this relate to your application?
Bringing this all back to the first topic we discussed, understanding your threat group can help you identify what approach to take with the testing you want performed. You may already know the type of testing you are after, but how should you go about it?
Broadly there are three main ways you can approach testing, unauthenticated (credentials aren’t provided), authenticated (credentials are provided) or providing the entire source code, each providing more in-depth testing respectively. However, with the increased attack surface to review, so too increases the time required to complete testing under the approach. Budget will of course be one factor to consider here, but it is also important to keep in mind your threat groups.
A simplistic example of this could be a web application which is not particularly sensitive and only accessible from within your corporate network by a few highly trusted administrators. Here, the approach to testing you may want to consider could be unauthenticated, as the main threat group would not be from the administrators themselves, but from the other domain users in your organisation who do not have an account.
Where you are not sure of the type of test or the approach to take, Nettitude can help you to determine what would be right for your specific situation.
Why is it important?
Application penetration testing is an important proactive measure which has a well-established methodology developed over many years from experts in the field. It is not uncommon that applications can end up publicly facing or targeted by a threat group which has not been considered; unfortunately, we hear about such cases in the news fairly regularly. The landscape as it is, has changed quite dramatically over recent years, with attackers becoming highly skilled and with greater access to resources. To add to this pressure, the responsibility for the secure handling of user data is becoming increasingly enforced with legislation, such as GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act). With all of this in mind, staying proactive in the approach to security has never been more important.
For more information, please don't hesitate to reach out to your local Nettitude team.