Application Penetration Testing
Modern-day application penetration testing (or pentesting) spans from traditional web and mobile app penetration testing to emerging IoT and blockchain penetration testing.
Application Penetration Testing Market
Application penetration testing is a descendant of the Ethical Hacking industry that emerged in late nineties. Both aimed to detect security vulnerabilities and verify security, integrity and availability of computer systems, they considerably differ. At the nostalgic epoch of Ethical Hacking, organizations were merely curious whether and how quickly their IT bastions can get hacked, oftentimes taking the findings with humor and carelessness. Very few penetration testing methodologies or security certifications existed at this point of time, triggering some confusion around the nature of the service.
Want to have an in-depth understanding of all modern aspects of Application Penetration Testing. Read carefully this article and bookmark it to get back later, we regularly update this page.
A steadily growing penetration testing industry of a modern-day is, however, tremendously dissimilar, forming a multi-billion USD market of a mature structure according to numerous researches conducted by Gartner, Forrester and IDC in 2019 and 2020.
Differently from network penetration test, the application penetration test is mostly focused on the Application Layer of TCP/IP model. Within the context of application pentesting, this layer includes:
- All types of websites (e.g. opensource CMS such as WordPress or proprietary MS SharePoint)
- All types of web applications including e-commerce, e-banking and e-voting applications
- All types of web application residing in the cloud, or provided as a SaaS or PaaS
- All types of HTTP-based web services, microservices, REST and SOAP APIs
- All types of mobile applications, including e-payment and fintech apps
- All types of HTTP-based IoT applications and microservices
- Distributed applications (blockchain) and smart contracts
Application penetration test has a multitude of important features and distinguishing properties that we will elaborate below in ample details.
Application Penetration Testing Explained
Contrasted to web vulnerability scanning or automated application security testing, application penetration test implies intensive human testing and skillful labor. Modern web and mobile applications contain a great wealth of intricate security and privacy vulnerabilities that cannot be detected with an automated vulnerability scanner. Some require a complicated Web Application Firewall (WAF) bypass or a sophisticated combination of several vulnerabilities to get the Crown Jewels. Others are simply so deeply intertwined with innate business logic that no machine or software can ever comprehend it. Consequentially, application penetration testing is not cheap, however, the outcomes definitely worth the investment if planned and executed correctly.
To commence a first stage of penetration test, many penetration testers usually rely on a wide spectrum of application penetration testing tools, from opensource Nikto or WPScan to more sophisticated paid version of Burp Suite, Acunetix or Netsparker.
At ImmuniWeb, we provide a free website security test that includes fingerprints of over 200 most popular web-based CMS and frameworks including WordPress, Drupal and Joomla, and over 150,000 their plugins, themes and extensions that often contain critical security vulnerabilities.
For mobile app penetration testers, we also prove a free mobile app scanner tailored to quickly detect OWASP Mobile Top 10 in iOS and Android apps, hybrid and native ones. The human layer on top of the automated vulnerability scanning provides an indispensable gradient of in-depth and threat-aware security auditing indispensable for in-depth, threat-aware and risk-based security testing.
Manual application penetration testing equally provides such invaluable benefits as detailed remediation guidelines adopted for a particular organization, its internal processes and Software Development Lifecycle (SDLC). Furthermore, juxtaposed to automated application security scanning, penetration testing commonly has no false-positives and virtually no false-negatives condition to appropriately selected methodology and scope of the penetration test.
At the end of application penetration test, a detailed report is delivered to customer. This report gradually explains the methodologies and scope of the penetration test, itemizes detected security flaws and privacy issues, and then suggests viable recommendations for developers. At ImmuniWeb, on top of this, we provide unlimited patch verification tests to ascertain that the integrity of findings has been properly resolved.
Application Penetration Testing Goals
Business executives and risk professionals may reasonably question about the ultimate goals of application penetration testing, and notably how to transform them into some palpable value for organizations from a financial prospective.
A properly planned and executed penetration test brings:
- Assurance of Integrity and Compliance – it is pivotal to verify that your data is properly protected to ensure a well-informed decision-making process and budgeting. Most of the enacted data protection laws and regulations likewise impose regular penetration testing by independent third parties.
- Cyber Risk Reduction – skyrocketing data breaches oftentimes happen because of careless or negligent cybersecurity management, ignorance of novel risks, threats and vulnerabilities.
- Legal and Financial Liability Decrease – Western courts, both in Common and Civil law systems, consider such precautions as penetration testing and related processes when assessing penalties in data breach litigation, now spanning from penny individual complaints to multi-billion class action lawsuits.
- Cyber Insurance Reduction – currently trendy cybersecurity insurances scrutinize your penetration testing processes when evaluation your eligibility to get coverage in case of a security incident, data breach or leak.
- Cybersecurity Strategy Verification – penetration test is tenable and empiric manner to ascertain that the money you invest into your corporate cybersecurity and compliance strategies are spent efficiently and effectively, generating tangible value for the shareholders.
That is to say, continuous penetration testing in 2020 shall definitely be regarded thought the prism of a sustainable investment and not a cost.
Application Penetration Testing Scope
Definition of a pentest scope is crucial to ensure eventual success of the penetration test. Countless organizations are hacked every month because of incomplete or wrongly prioritized scope of testing. You cannot protect what you don’t know, however, shrewd attackers are well proficient to leverage passive and active reconnaissance techniques and OSINT (Open Source Intelligence) to ferret out forgotten, abandoned or test systems left without protection. Such shadow and legacy systems are a low-hanging fruit for cybercriminals.
Holistic visibility of your digital and IT assets exposed to the Internet is paramount prior to commencing application penetration testing.
At ImmuniWeb, we offer Attack Surface Management (ASM) service to illuminate your external attack surface and enable a well-informed, threat-aware and risk-based application penetration testing, proportional to your needs, existing risks and available budget.
Furthermore, we deliver actionable security ratings for your web applications, APIs and mobile apps so you can effortlessly prioritize your testing in a simple, coherent and predictable manner.
Application Penetration Testing Vulnerabilities
Traditionally, OWASP Top 10 is a de facto standard for web application penetration testing, encompassing the following classes of web application vulnerabilities:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulns
- Insufficient Logging & Monitoring
At ImmuniWeb, we go far beyond foundational OWASP Top 10, and cover SANS Top 25 and PCI DSS 6.5.1 – 6.5.10 items by combining our award-wining AI technology with scalable and rapid manual penetration testing.
Importantly, we also meticulously perform all tests and security checks from OWASP Testing Guide (OTGv4) and OWASP API Top 10.
Mobile applications have a similar ranking by OWASP Mobile Top 10 project. It is commonly used for mobile application penetration testing of iOS and Android apps, purported to detect the following categories of mobile security weaknesses:
- Improper Platform Usage
- Insecure Data Storage
- Insecure Communication
- Insecure Authentication
- Insufficient Cryptography
- Insecure Authorization
- Client Code Quality
- Code Tampering
- Reverse Engineering
- Extraneous Functionality
Human element of application penetration testing ensures that the most untrivial combinations and variations of the aforementioned security and privacy issues will be spotted.
Application Penetration Testing Methodologies
Traditional network penetration testing methodologies, also applicable to application penetration testing, can be depicted by the following:
- White Box Penetration Testing – the attackers have virtually unlimited access to the tested systems, including source code and documentation.
- Grey Box Penetration Testing – the attackers have a restrained access to the tested systems, usually no source code is available.
- Black Box Penetration Testing – the attackers have no technical information about the targeted systems whatsoever, generally just a company name and expected outcomes (e.g. take control over ERP system) are provided as an input.
White box probably provides the most comprehensive security review, however, is predictably time-consuming and hence expensive. Black box is the closest one to reality, supplying actionable outcomes as if true cybercriminals are proof testing their malicious skills. Grey box lays somewhere in between, and statistically, is probably the most suitable and harmonized approach for most of use cases.
Similarly, application penetration testing can be internal or external. The internal one implies that the penetration testers are located at the premises of their client to access internal web applications and pre-production web systems.
To reduce the associated costs, at ImmuniWeb we offer our customers a Virtual Application (VA) technology to securely test their internal web applications and APIs from remote.
Recent development of penetration testing industry brings some innovative approaches to application penetration testing techniques. Given the growing complexity and variability of modern threat landscape, it is essential to elaborate a risk-based testing approach, covering specific threat actors and intrusion techniques. For the purposes of such threat-aware penetration testing, Red Team is formed of several skilled penetration testers. Their core mission is to develop and deploy a well-though intrusion scenario that a specific group of cybercriminals will likely try in case of a targeted attack or Advanced Persistent Threat (APT). Contrariwise, Blue Team is composed of security analysts in charge of detecting and stopping intrusions in real time. When the latter is uninformed about upcoming activities of the Red Team, such methodology is sometimes called double-blind penetration testing. This type of testing helps better understand whether organization is ready to apprehend foreseeable cyber-attacks in timely, efficient and effective manner.
You can specify any threat-aware or risk-specific testing scenario directly on ImmuniWeb AI Platform when creating a new penetration testing project.
Application Penetration Testing Standards and Frameworks
Nowadays, application penetration testing usually includes several standards and frameworks, ranging from open source OSTTM (Open Source Security Testing Methodology Manual) to industry-specific ones such as PCI DSS penetration testing guidelines.
Most of them overlap or contain similar provisions described in a semantically different manner. Therefore, there is no compelling need to converge and aggregate all available standards, instead, combining a couple of them in a coherent, consistent and adequate manner is predisposing to ensure holistic testing and comprehensive vulnerability coverage.
At ImmuniWeb, we leverage the following international standards and recognized pentesting frameworks to ensure the highest quality of our application penetration testing:
- OWASP Testing Guide (OTGv4)
- NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
- PCI DSS Information Supplement: Penetration Testing Guidance
- FedRAMP Penetration Test Guidance
- ISACA’s How to Audit GDPR
Keep in mind, however, that from a practical viewpoint, application penetration testing standard is not that decisive as its coherent and comprehensive execution.
For these reasons, at ImmuniWeb, we also develop and continuously improve our own AI-driven methodologies of penetration testing tailored to rapidly detect what human may omit or overlook.
Application Penetration Testing Stages
Predictability and consistency lay amid the foundational principles of application penetration test. Coherent execution of a penetration test can substantially add value to the deliverables and distill the noise from the crux.
Pentesting companies usually adhere to the following consequence of testing:
- Planning and Threat Modeling – planning is essential to ensure value creation by a penetration test. Risk-based and threat-aware testing scenarios of business-critical applications are designed to bring actionable reports tailored for genuine business needs.
- Information Gartering and Reconnaissance – once an attack scenario is prepared, penetration testers launch their automated tools and utilities to obtain as much information about the target as permitted within the scope. Usual restrictions lay within social engineering or physical intervention into organizational premises.
- Automated Vulnerability Scanning and Testing – scoping of the perimeter is normally followed by an automated scanning and fuzzing of target systems and applications for known security vulnerabilities and misconfigurations.
- Manual Exploitation and Exploit Development – once all the vulnerabilities and security flaws detectable by vulnerability scanners are found, penetration testers start expanding the vertical and horizontal scope of testing and pursue manual exploitation of the findings.
- Remediation Guidelines Preparation – is one of the most time-consuming stages given that the penetration test report shall be readable and easily-consumable by cybersecurity executives, software developers and security analysts on the client side, and bring simple and straightforward instructions on vulnerability remediation.
- Remediation and Verification – the last stage is placed within the purview of the client, who is required to address the findings, ensure that recommendations have been properly implemented and documented for compliance and internal coordination purposes.
At ImmuniWeb, we greatly simplify and accelerate the aforementioned stages by leveraging our award-winning AI and Machine Learning technologies for intelligent automation of application penetration testing.
With ImmuniWeb Discovery you can get a helicopter view of your external attack surface with attributable threats and scored risks for a well-informed penetration testing.
Furthermore, at ImmuniWeb, simple and medium complexity testing tasks are intelligently automated by AI and deep learning algorithms, preserving their highest reliability and quality, and resultingly delivering an unbeatable price/quality ratio to our clientele compared to traditional application penetration testing.
ImmuniWeb AI Platform likewise offer full stack of DevSecOps and CI/CD integrations, enabling software developers to seamlessly export vulnerability data into their bug tracking systems or Jira. Moreover, our technology alliances with have with F5, Imperva, Fortinet, Barracuda and many other leading WAF providers enable our clients to deploy a reliable virtual patching of any vulnerability in just one click. Finally, we offer unlimited patch verification assessments at no additional cost to enable our clients and partners to ascertain whether the integrity of findings has been unfailingly fixed.
Application Penetration Testing Tools
A mushrooming multitude of free and commercial pentesting tools are available on the Internet. To help pentesting community better understand, evaluate and measure application security risks, at ImmuniWeb we offer the following free tools within ImmuniWeb Community edition:
- Website Security Test – free pentest tool to check all known security vulnerabilities from over 200 CMS and web frameworks, verify website PCI DSS and GDPR compliance.
- Mobile App Security Test – free pentest tool to scan (SAST/DAST) your iOS or Android application for OWASP Mobile Top 10 and other security, privacy and encryption issues.
- SSL Security Test – free pentest tool to audit your SSL/TLS encryption for cryptographic and implementation vulnerabilities or weaknesses, and validate whether it is compliant with NIST and HIPAA guidelines.
These free pentesting tools are, however, fairly foundational and require substantial augmentation with human intelligence and more in-depth testing for the purpose of application penetration test.
Application Penetration Testing and DevSecOps
Traditional penetration testing was primarily oriented for security personnel of a client. At ImmuniWeb, we are firmly committed to deliver value and excellence in accordance with DevSecOps model to all interested parties at our client side.
We offer a continuously growing variety of integrations and data export capacities with most popular bug trackers, CI/CD and SDLC tools. Furthermore, our technology partnerships with the world-leading Web Application Firewall companies, enable our clients to deploy a robust virtual patching with just one click.
On top of this, our remediation guidelines are always tailored for software developers and product architects, providing straightforward descriptions of the detected issues and actionable remediation guidelines. Last but not least, unlimited patch verification assessments are available upon completion of a penetration test at no additional cost.
Application Penetration Testing Certifications
Frequently, it is not a trivial task to evaluate someone’s penetration testing aptitude, skills and experience. Therefore, some organizations rely on mushrooming variety of penetration testing certifications when hiring security professionals.
The most prominent pentesting certifications in 2020 are:
- GIAC Penetration Tester (GPEN) by GIAC
- GIAC Web Application Penetration Tester (GWAPT) by GIAC
- GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) by GIAC
- Certified Web Application Tester (CWAT) by CREST
- Certified Simulated Attack Specialist (CSAS) by CREST
- Offensive Security Certified Professional (OSCP) by Offensive Security
- Certified Mobile and Web Application Penetration Tester (CMWAPT) by IACRB
- Certified Red Team Operations Professional (CRTOP) by IACRB
- Certified Expert Penetration Tester (CEPT) by IACRB
- Licensed Penetration Tester (LPT) Master by EC-Council
- Certified Ethical Hacker (CEH) by EC-Council
- CompTIA PenTest+ by CompTIA
It would be fundamentally inaccurate to hypothesize that penetration testing certificates always reflect someone’s practical knowledge. Certainly, they bring indisputable value, however, keep in mind that some of the very best White Hat hackers never got a certificate in the domain but rather teach newcomers at universities, online courses and cybersecurity conferences such as Black Hat or Defcon.
Thus, when evaluating your next penetration testing candidate, consider the integrity of his or her skills, experience and most importantly candidate’s capacity to perceive business priorities and create value and harmony in your team.
Application Penetration Testing Pricing
Pricing for application penetration testing greatly varies among service providers. In 2020, penetration testing companies based in capitals of well-developed Western countries bill somewhere between $1800 to $3000 for a man-day of classic penetration test. Less developed areas in the US and Western Europe usually offer a more competitive rate spanning from $1200 to $1800 per man-day of testing and reporting.
Whilst in some developing countries prices may be comparatively lower, the quality, integrity and customer data protection are frequently impacted by price dumping tactics. For these reasons, it is advised to select penetration testing providers with ISO 27001 certification, CREST accreditation and a valid traction in the industry.
The final price of a penetration test stems from overall project complexity, duration and special requirements. Usually the longer a project lasts, the more generous discount will be available. Occasionally, discounts for recurrent customers may play a non-neglectable role.
At ImmuniWeb, we leverage our award-winning AI technology for intelligent automation of simple, routine and repetitive application penetration testing tasks and processes.
While highly complicated ones, that truly deserve human wisdom and ingenuity, are escalated to our certified penetration testers. Practical usage of Machine Learning and AI algorithms considerably reduces the required amount human time, provides unbeatable price and ensures highest quality and reliability of testing.
Application Penetration Testing Compliance
Nowadays, the aggrandizing spectrum of data protection laws and regulations unequivocally imposes or implies regular penetration testing for web and mobile applications.
For example, New York, the financial capital of the world, developed NYCRR 500 state law, expressly imposing obligatory application penetration testing. Developed by the New York State Department of Financial Services (NYSDFS), the NYCRR 500 is a set of regulations on financial institutions and insurance companies based in, or licensed to operate, in the state of New York. Violations of the law may trigger harsh financial penalties and other legal ramifications available under New York state law.
Therefore, in 2020, application penetration testing is not just a matter of best practice or corporate perception of digital risks but an absolutely requisite business process of a continuous and consistent nature.