Ever heard of “the calm before the storm”?
It’s that oddly quiet stillness when you’re walking home or heading for work, a few minutes where everything seems at peace and nothing seems to happen. Of course, it’s actually a signal that the forces of darkness are gathering momentum – and something bad IS about to happen.
That’s why among cybersecurity experts, a calm and uneventful IT infrastructure is the last thing they want. “Nothing happening here” is not a positive statement – because today’s business networks, with their petabytes of data flowing between data centres, applications, and people, are never calm and quiet.
So to keep you prepared for stormy weather, many Managed Services Providers (like Strypes) offer penetration testing, or “pentesting” for short. Deliberate prodding and probing of your IT setup, keeping it alert and on guard, ready to deal with actual attacks more effectively. Such cybersecurity awareness gives you the information you need to close gaps and patch problems … in a process of continuous improvement.
Of course, with technology, the internet, and attack vectors evolving all the time, the job is never done – meaning pentesting is a process, not a product. It’s one of two key cybersecurity services Strypes offers to keep your infrastructure humming along smoothly. With that in mind, let’s explore how Strypes does it, as part of your ongoing software development processes – starting with a definition of what differentiates it from other approaches.
Pentesting defined: white hats to defeat the black ones
It’s no fun being hacked – but for many IT security experts, pentesting is a fun part of their job. Because it involves acting like a hacker, seeking to compromise the client’s systems and applications. Think of it as IT services cosplay.
It’s important to do this ethical hacking because it simulates how issues arise within the real world. Imagine you’re an athlete training for a soccer match: if you want to win the World Cup, it’s no good kicking the ball at an empty goal. you want actual conditions of other players surrounding you, each one looking for advantages and trying to take the ball away.
This is how pentesting keeps your systems in a state of constant readiness, always able to react to threats as (and often before) they arise – because it “trains” your systems to assume problems will come up and embed methods for dealing with them.
Of course, the advantage is that these hackers are friendly. Rather than the “black hats” exchanging crypto and credit card numbers on the Dark Web, they’re “white hats”, working for your company and answerable to you. When they find exploitable weaknesses, they don’t call you with ransom demands – these hackers-on-your-side report and document the problem, then design fixes and improvements as part of your IT team.
Pentesting and vuln testing: the differences
Of course, pentesting isn’t the only way to foil bad actors – another approach is vulnerability management (vuln), which we’ll explore in Part 2 of this mini-series. But just for completeness, let’s define how the two methods differ.
Penetration testing is an active, no-holds-barred attempt to break your business: finding exploits, hacking servers, sniffing out open ports and badly configured infrastructure so gaps can be closed and patches applied. It’s a “lean-forward”, proactive way of working: a team of experts thinking like bad guys, imagining what they’d do and the damage they’d cause.
Vulnerability management, by contrast, is more lean-back, contemplative and thoughtful. It uses a range of tools to scan and survey your IT infrastructure (often 24/7) and report potential problems without attempting to hack or exploit. The tests are often narrower in scope than penetration testing, and make use of broader information from databases, such as what software vendors have discovered about their applications and made available publicly, or bug reports submitted on websites like GitHub and Stack Overflow. If pentesting is a locksmith tasked with entering your house, vuln management is more like looking at the house to document which doors are locked and whether the windows are closed.
So that’s the split: pentesting is an active hacking attempt, vuln is more of an information-gathering exercise based on data. And with the differences defined, let’s get back to pentesting.
The basics: why we do web application penetration testing
First come the goals – and as with most business processes, there’s more than one. The objective isn’t simply “make the system safe”. It’s to stress-test specific areas of your IT infrastructure, from user logins to open ports. At Strypes, our focus is mainly on web applications – because they’re the front end of your system, most customized to your business, and in daily use by your employees, customers, and other stakeholders. Which means they carry some of the highest risks.
Keeping applications updated and vulnerabilities addressed
Of course, a primary part of your information infrastructure is the applications you use – so they’re a primary focus of pentesting. (The application security testing market is heading for over US$6bn in the USA alone.) After all, no web application is perfect. Mass-market apps may contain known flaws and weaknesses that are patched regularly, so one area of pentesting is to see which apps need updating and apply the updated versions. While in-house apps, with a user base in the hundreds rather than the millions, will have fewer resources devoted to alpha and beta testing and thus may be more vulnerable.
Maintaining compliance with local and global regulations
There are other reasons to pentest. Many organizations (especially in the Finance sector) are tightly regulated, with huge penalties if user data is lost or stolen; web application pentesting to ensure compliance with GDPR, HIPAA and others can save big money. Also, even widely used applications are configured differently for the needs of different businesses; a configuration that works perfectly well in ideal conditions may contain easily exploitable hacks that are first noticed in an unexpected downtime.
Enforcing best practice in user behavior
And security holes are not limited to technology itself. What if six users are sharing a password, and that password is on a Post-It next to their PC? Or a user clicks on a bad actor’s link, and malware is installed that creates a backdoor to your corporate secrets? Penetration testing takes the human factor into account, too, by stress-testing your existing policies and controls.
Keeping different parts of the infrastructure working together
And a “firewall” isn’t a monolithic one-size-fits-all structure; it’s a detailed configuration of applications and policies that must be “attacked” regularly to stay solid. As your information infrastructure evolves – a new app here, a twisted config there – the firewall must evolve too. While “Shadow IT”, the use of personally-owned devices and applications unknown to the IT Department, creates security issues of its own. If your people work from home, you may not want your corporate data on the same desktop as Junior’s games and warez.
Web application penetration testing in action: the process
Given these diverse goals, the best way to describe pentesting is as an end-to-end process that connects the risks at every stage, starting at the highest level of human behaviors and practices, and ending with the lowest-level settings of your IT services. Let’s look at how a typical pentesting project goes.
Stage 1: Pre-engagement and people power
First, we need to assess priorities – including the “people priorities”: ensuring we can work smoothly together and that we’re the right team for the job! This is where we discuss the scope of the assignment – what needs pentesting, how much detail each application needs to be tested in, what vulnerabilities pose the highest risks and what success looks like in solving them. In other words, Stage 1 is the getting-to-know-you part.
When we reach an understanding of what you need to achieve, we close this stage by defining the type of penetration testing that answers your challenges: black box, grey box, or white box testing. These terms are as old as computer science.
Black box testing is where the pentest happens without our friendly hackers knowing anything about your web applications or how they’re configured – a sort of “blunt instrument” approach, like a criminal on a dark night doesn’t know what’s in your pockets but wants to try his luck. It may sound primitive, but a huge number of breaches happen this way, like DDOS attacks that simply flood your system with dummy requests to overload it.
The white box approach is more measured. Here, the pentesting is done with a thorough knowledge of your infrastructure’s applications and configurations, so specific vulnerabilities can be targeted for testing. Think of this as akin to being the “inside man” on a bank heist, where one of the criminals works for the bank itself and knows where you keep the keys and safe combinations.
Grey box testing combines both approaches. The advantage is that hackers can often guess where your system’s weakest points may be; it makes use of standard configurations like APIs with exploitable flaws and ports that tend to be left open. It uses insider knowledge like setup scripts and data connections, but also looks at how an outsider might use that knowledge to cause you pain.
Once the collaboration looks positive and the approach is decided, it’s time for Stage 2.
Stage 2: Scouting the territory and planning the attack
All these stages are important – but some are more important than others. Strypes’ SMЕs (Subject Matter Experts) will roam around your system looking for vulnerable areas and analyzing what might work from a hacker’s perspective. This is what’s meant by the term “attack vector”: just as in war (“Strike on the left flank! Approach from behind!”) all attacks come from a specific direction with a specific set of tactics.
As part of this, the SMЕs discuss various strategies and methods for exploiting weak points in your web application and share their findings with you. Our experts use tools that roam around your network looking for weaknesses, hammering at access points and sniffing at ports, constantly probing for soft entry opportunities where hackers could wreak havoc. Some are simple, like unpatched software. Others are unexpected, like an app change in one department creating a security hole elsewhere. On top of this, our cybersecurity specialists also perform quite an amount of manual testing. This ensures that we don’t miss out on any vulnerabilities that scanners and other automated tools may miss.
Collaborating with your in-house team is a big part of this, by the way – remember, we’re on your side!
Stage 3: Executing our penetration testing exploits
Next comes showtime: putting on our bad actor disguises and actively trying to penetrate your web applications from outside, within the scope agreed in Stage 1. The goal here is to gain administrative authority (at the highest level possible) over your web applications, with the ultimate win being full sysadmin status. Because if a real hacker achieves this, he can hold your systems – and frequently your company – to ransom.
What tactics are in use here? Answer: as wide a variety as our scope allows. It can mean spoofing email addresses to persuade a user to click a bad link, pretending to be a verified user to gain access privileges, injecting malicious statements into an SQL query, or quietly traversing your firewall to see what’s inside. It may use publicly-known exploits identified in mass-market SaaS, or custom-created ones likely to work against your specific business processes. No matter the method, this stage looks to find each weakness and discover just how much of a risk it represents.
Stage 4: Telling the story of a penetration testing project
The last stage before correcting the issues is a pentest report, outlining the outcomes of all tests performed and logging all findings with notes on severity and priority. This might sound over-administrative. But think of it as more like an audit trail, allowing us to solve vulnerabilities quickly and completely.
After all, the greatest weapon in your arsenal is understanding. If you fully comprehend how each vulnerability arose and how it fits with the context of your web application infrastructure, you’re in a position to eliminate its risk. This stage’s goal is to provide those explanations and give you a clear picture of the damage each one can cause, sharing strategies to fix them. (And that means fixing the root of each problem, not just its symptoms.)
According to Verizon’s 2021 Data Breach Investigations Report, 85% of breaches involved the exploitation of already-known vulnerabilities that the client simply hadn’t addressed. Stage 4 meets that problem head-on.
(Followed by a final stage: fixing and future-proofing!)
Of course, the final stage is fixing the problems discovered: hardening the attack surface against such exploits by fixing code, applying patches, and training people to be more security aware. But this stage isn’t part of pentesting itself – rather, it relies on the outcomes of pentesting. Think of it as the finishing touch that makes all the main stages worthwhile. It’s where you receive the successful outcome you deserve!
Why penetration testing services are critical
Security testing used to be an add-on to most corporate IT strategies. It was something the IT team did, from time to time, as resources allowed; often the people doing it were not security specialists and vulnerabilities could exist for years without being noticed. That’s all changed.
With one firm estimating total cybercrime as nearing US$15tn worldwide, and growing at 15% per year, security isn’t a corporate problem: it’s an economic problem. And 75% of vulnerabilities are in human-centric behaviours like clicking on rogue links in an email. (Many banks conduct “human pentesting/ phishing”, with the IT team sending out deliberately suspicious-looking emails to check what staff actually do with them.)
And with the web of regulation tightening around the world – Europe’s GDPR, Britain’s much-disliked Online Safety Bill, and the USA’s extra-territorial AML laws – being vulnerable can mean the end of your business, not just a quarter’s profits. It’s now illegal in many countries to quietly pay off the hackers, as happened at many firms for too many years. The only option today is to harden the attack surface so completely that the black hats never get a chance – and that’s the very definition of pentesting.
Last, many investors and corporate boards now demand hard evidence of a well-formed penetration testing and security strategy for the annual report – so pentesting can no longer be a side issue. It’s front and center of IT security operations, with its own team, its own professionals, and its own store of expertise. Which of course creates its own challenges – challenges penetration testing service providers like Strypes can answer.
The ultimate goal of web application penetration testing
The overarching objective – keeping your people, your business, your investors, and your customers safe from data breaches, privacy violations, and other crimes – is far from easy. For many companies, it’s not the core competency, which means finding and employing subject matter experts, and managing them so their skills are used effectively.
These people aren’t easy to find, whether you need penetration testing services (the subject of this article) or vulnerability management (the subject of our next one – watch this space).
What you need to answer this ultimate goal is an approach that’s both combined and complete. That combines knowledge of your business and its people’s tasks with knowledge of your systems, applications, and information flows; that works end-to-end across all vulnerable human endpoints and hackable software loopholes. Penetration testing services from Strypes address all these needs – and it’s an approach that’s tested and proven in use at some of the world’s most important companies.
CONCLUSION: Look to Strypes for your pentesting – and beyond
At Strypes, we’ve developed a business model that’s worked for years: Nearsurance. A central team of experienced IT security professionals, largely based at our Bulgaria development hubs, provides deep and broad technical expertise across all aspects of pentesting. And that expertise is kept effective by local business analysts in your office, often working directly with your in-house team to build the strongest relationship possible.
Web application penetration testing – and its companion, vulnerability management – is part of our culture. It informs every app we develop, every system we configure. And we’d like to offer that expertise to you.
Ready to discuss the advantages that Strypes can bring to your own IT infrastructure?
How to Keep Your Organization Safe in 2024
Download our cybersecurity whitepaper
Add a header to begin generating the table of contents