A penetration test is an authorized and proactive attempt to evaluate the security of an IT infrastructure by safely attempting to exploit system vulnerabilities, including OS, service and application flaws, and improper configurations.
Earlier, Cyber-attacks initially used to be mass attacks aimed at “freezing” large numbers of computers. But today, these attacks have evolved to targeted attacks for financial motives. Some of the most prominent among them are listed below which focuses on manipulating applications, stealing or tampering with confidential data.
Injection – It can be present when your web application sends user-supplied data to other applications like database, LDAP etc. It can be used to access unauthorized data or takeover of remote application.
Broken authentication & session management – HTTP protocol extensively used sessions & cookies to maintain state. “Session Id” is usually stored in cookies or in URL which can be stolen.
Cross site scripting (XSS) – Sites must sanitize the user submitted input before displaying it in comment threads, web forms etc. Proper escape of data is essential before displaying it on web pages.
Why Are These Attacks Increasing?
New models of application delivery and platforms (ex. cloud and mobile), technologies (RIA’s) pose new security risks since application security technologies, processes have not matured for them.
Some of them have a wide array of services (email, database, productivity , collaboration etc.) being offered over cloud, multiple mobile ecosystems ( iOS, Android, Windows, Blackberry, Symbian, Java etc.), mobile optimized sites, third party plugins etc. With increase in penetration of internet connection and smart-phone devices; publicly listed/private organizations, governments, technology start-ups etc. have a new strategic channel to drive revenue and customer acquisition by providing the services to citizens/users in a more convenient way which also provides accessibility to services round the clock.
Digitization has been increasingly being playing an important role as companies’ operations grows, vulnerability to data theft, leakage of intellectual property attacks etc. are growing at a rapid rate.
OWASP (Open Web Application Security Project) is an online community including corporations, educational organizations and individuals around the world dedicated to web application security. Its mission is to help organizations and individuals to make informed decisions about software security risks.
OWAPS creates freely-available articles, methodologies, documentation, tools and technologies frequently. OWASP Top 10 project publishes list of vulnerabilities to raises awareness about application security by identifying critical risks being faced by organizations. It acts as a reference for books, security tools & organizations including MITRE, CERT, PCI DSS etc. List of top 10 issues categorized under A1 to A10 is different for web applications, mobile applications & IOT (Internet of things) as the ecosystem is entirely different for each one of them.
Ways to Counter These Threats:
Conducting penetration test for newly built applications is an effective way to counter the ill effects of such security threats in the applications. Applications which are already live are also require regular checks.
Global players like Google, Facebook, Microsoft, Amazon, Ebay, Twitter, Mozilla etc. operate multiple online websites which have significant user base (count in Millions and Billions) and contribute in Billions in revenue. The applications are developed in languages like Java, .Net, or open source technologies (PHP, Python, Ruby, Perl etc.), flash etc. Over the time new versions are rolled out having additional features; however many a times few security vulnerabilities remain undetected and can be exploited by malicious minds.
Few organizations (Google, Facebook, Microsoft) run their bug bounty program themselves which provides a platform to the security enthusiasts and security research firms across the world a way to report vulnerabilities in the live applications.
ZDI (Zero day initiative) is another such program used by many organizations to identify security threats present in their applications/browsers/Operating system etc. Mozilla, Google Chrome, Microsoft, HP, Cisco, Adobe etc. frequently run such kind of programs. Sometimes shortcomings are identified in the implementation of internet standards/protocols (ex. SSL, TLS) which are also reported over time so that they can be fixed at the earliest. Heartbleed (CVE-2014-0160), Shell-shock (CVE-2014-6277), Poodle (CVE-2014-3566) are some of the well known vulnerabilities identified in 2014 affecting multiple websites.
When any such vulnerability is identified having significant impact it is recorded with a CVE identifier (Common Vulnerabilities and Exposures). Each CVE identifier is assessed to establish a measure of risk that vulnerability poses as compared to other vulnerabilities and a score is arrived at ranging from 0 to 10 with 10 being the highest. CVSS (Common vulnerability scoring system) is a free and open industry standard for assessing the severity of computer system security vulnerabilities.
The damage which can be caused by such events pose threat to company’s profits, reputation, brand, competitive positioning etc. and is potentially vast—yet many companies remain under prepared.
Benefits achieved from conducting Penetration Test:
Manage vulnerabilities intelligently
Comply with regulatory requirements and avoid fines
Preserve corporate image and customer loyalty
Avoid the cost of network downtime
The approach of our expert team at V2Solutions is to focus on technical security testing- that includes adherence to systems, to secure architecture and design, coding and operational standards. For more information for our technical solutions, you can visit: https://www.v2solutions.com/engineering/#testing