Companies that identify and remediate software vulnerabilities early and often will generate software maintenance savings that reduce overall development costs.
The overall goal of an application penetration test is to uncover software vulnerabilities, demonstrate the impact of the weaknesses, and provide recommendations for mitigation. During a penetration test, Praetorian has two primary objectives: the obtainment of unauthorized access and/or the retrieval of sensitive information.
In this way, a Praetorian application security assessment provides a detailed and in-depth security analysis of an organization's critical applications.
Typical penetration tests include the following types of software platforms:
Vulnerabilities and compensating controls are categorized into the areas of configuration management, authentication and authorization, user and session management, data validation, error and exception handling, and data confidentiality. Using open source, proprietary, and commercial tools, Praetorian identifies both common and application specific vulnerabilities. While our penetration tests do leverage automated scans, the majority of testing is performed through manual techniques since many application vulnerabilities hinge on logical and semantic flaws which, unlike syntactic bugs, are difficult to identify using automated analysis.
Application testing begins with network and operating system security tests to verify that the underlying platforms are configured securely. After performing initial platform testing, the penetration test shifts its focus to the application layer, which requires significant attention and comprises the majority of the engagement. Praetorian will first assume the role of an anonymous attacker who does not have valid credentials to the application.
If credentials are provided and authenticated testing is in scope, consultants will authenticate to the application using the roles of normal users to determine if valid users can exploit vulnerabilities to gain access to the underlying infrastructure or to information the user is not authorized to access. For role-based systems, testing is conducted across all user roles. This will not only ensure coverage across the entire application, but will also allow in-depth testing of complicated authorization controls. For these reasons, Praetorian will typically request two user accounts per role. For example, Praetorian will test a user's ability to access another user's information within the same role as well as a user's ability to access another user's information at a higher role (vertical privilege escalation).
As vulnerabilities are discovered, Praetorian will exploit them in an attempt to achieve the primary objectives. Using commercial, open source, and proprietary tools, Praetorian implements a structured testing methodology to make the application assessment as efficient as possible.
How much does an application penetration test cost?
The cost is dependent on the size and complexity of the application and the level of rigor in which testing is to be performed. This is determined through pre-sale client discussions and scoping questionnaires. The price of an engagement will be delivered as a fixed bid quote.
How is size and complexity determined?
Size and complexity are determined through a number of standard metrics such as the number of dynamic pages, APIs exposed, and user-roles. In addition, the complexity of the underlying technologies is also examined when determining the level of effort.
How do level of rigor, price, and quality relate to one another?
Level of rigor, price, and quality are all directly proportional to one another. For those only requiring a security baseline, automated dynamic analysis tools can identify low hanging fruit at an attractive price point. For companies with additional budget and those who assign additional weight on the quality of inspection, a hybrid approach between automated analysis and manual testing is often employed in order to identify additional vulnerabilities. For companies who sell 1) enterprise software products, 2) software products which have considerable exposure, or 3) software products which are considered mission critical, heavy manual testing will be leveraged. Please refer to the graph in our methodology section which illustrates vulnerabilities discovered vs. level of rigor.
How long does an application penetration test take to complete?
The time to completion depends on the size and complexity of the application and the level of rigor in which it is performed. A small application with a low level of testing rigor can be completed in a few days. For large applications, which require a high level of testing rigor, dynamic analysis can take two to four weeks. On average, the typical duration of a web application penetration test is one week. On average the typical duration for stand alone and enterprise products is two weeks.