Almost every company has a web application that can be accessed from the Internet. It’s not uncommon for customers to log into their accounts through the same application to make purchases or perform certain actions. So it’s safe to say that these apps are a “collection” of lots of data and cybercriminals will sooner or later try to get to this information. That’s why it’s so important to make sure that our apps are prepared for various types of attempted attacks.
Penetration testing (or pentests in short) is an activity by which the largest possible number of flaws are found in e.g. web and mobile applications, etc., which can negatively affect the confidentiality, integrity and availability of processed data. To put it simply, these tests involve finding as many errors as possible that a cybercriminal could use to, e.g., take over user accounts, extract information from the database or even take over the server on which the application runs. These tests, therefore, represent a very important point for any company that cares about cyber security.
However, pentests themselves, unlike attacks by cybercriminals, are performed for a specific period of time for a specific range of applications. What is also worth being aware of is that pentest won’t detect all vulnerabilities. One reason for this is the limited time for such tests. Another could be the incomplete range of tests or the emergence of new vulnerabilities previously unknown (e.g. a weaknesses in a particular version of software that our application uses).
It has become assumed that flaws found are classified on a five-point scale. This scale defines the level of threat and the consequences of its use, and the time in which the errors should be fixed.
A critical vulnerability, the exploitation of a vulnerability classified as critical makes it possible to take full control of a server or a network device. Vulnerabilities that have been marked as critical should be fixed immediately.
A vulnerability with a high level of significance, the exploitation of this vulnerability allows access to sensitive information, but beforehand may require certain conditions to be met for practical use. Vulnerabilities classified as “high” should be fixed within a very short time after they are reported.
A vulnerability with a medium level of significance, the exploitation of this vulnerability may depend on various factors. This vulnerability usually allows access to a limited amount of data or to data of lesser relevance. The fix for this vulnerability does not have to be implemented immediately, but it shouldn’t be postponed either.
A vulnerability with a low level of significance, the exploitation of this vulnerability has little impact on security or requires very difficult conditions to meet. Fixing this vulnerability can be done when app is updated with, for example, new functionality.
General recommendations or information, points marked with info level are not security vulnerabilities. They do, however, indicate good practices that, if applied, can increase the overall security level of an application.
However, finding vulnerabilities is a major part of the pentester’s job, but that’s not the only thing the pentester does. After testing, it creates a report in which we can learn what vulnerabilities were found in our applications. Plus, by the end of the description of each vulnerability found, we’ll be able to read recommendations to which, if we follow them, will allow us to eliminate the vulnerability found.
The ways to test an application can vary depending on the methodologies used. Holding to the following phases during testing will help us perform tests more efficiently. Looking at different methodologies, there are several main phases of testing, these include:
The above phases are only a general “inventory” of each test, and in fact each of the mentioned phases can be broken down into more specific points. Once the vulnerabilities found have been fixed, it’s worth performing a so-called Retest to verify that the vulnerabilities in question have indeed been eliminated.
Pentests can be performed according to their own methods, rules or principles however, there are proven methodologies and standards that are widely known among cyber security experts. Four well-known methodologies and standards are outlined below:
Depending on the type of system, application being tested, the types of vulnerabilities may vary. It’ s worth taking care of the application security itself from the earliest moments of software development and not only when it is ” mature “. This is because there is a chance that our software, due to vulnerabilities, won’t be able to be released to the public within the set timeframe, which may be associated with various negative consequences. However, in order to be able to properly secure our applications, we should know which vulnerabilities we have to deal with. Below are some of the most common vulnerabilities in web applications.
The vulnerabilities above are, of course, only a part of what developers have to deal with because the list of weaknesses is much, much longer….
Penetration tests are focused on finding as many vulnerabilities as possible in the indicated, e.g. web applications. Pentester during such tests sticks “rigidly” to its scope, i.e. to a specific app, and doesn’t link the found vulnerabilities into so-called cyber kill-chains, by means of which sensitive data could be intercepted. Thus, these tests allow to check whether a particular web application is secure, but they do not allow to determine whether an organization is prepared for real cyber threats from hackers. The solution to this problem is Red Team testing.
Red Team tests differ from penetration tests in many ways, the most important differences are:
So you can sum up the differences between the tests as follows: penetration testing is a good solution when it comes to finding as many weaknesses as possible in a given system that need to be fixed, while red team testing provides an ideal solution when it comes to a company’s readiness for hacking attacks.
|PENETRATION TESTING||RED TEAMING|
|It’s a portion of red teaming focused on exploiting certain vulnerabilities of a system.||It’s a framework to evaluate the level of security of an organization.|
|The IT Team is aware of this exercise and takes part in the activity.||Only upper management knows a test is being carried out|
|It’s a small targeted attack.||It’s emulates a real-world situation.|
|It uses commercial pen test tools.||It resorts to social engineering and can even try enter the offices to test the physical security.|
As in previous CyberLabs – all you need to know about cybersecurity series articles, below you’ll find some good tips to increase the level of cyber security in your organization:
Stay secure! 👾
mBank was the first bank in our country to declare war on cybercriminals’ activities and implement sender authentication in the most popular mailboxes used by their customers. These solutions...
Sociotechnic, or in other words social engineering, is any action that influences another individual in order to persuade him to take certain actions, which may not be in his...
Promotional emails usually contain a significant amount of information – we are talking here not only about the content, but also graphics presenting the products covered by the promotion,...
Ignoring the mistakes made in previous years and failing to learn the right lessons are the main ‘sins’ of marketers preparing campaigns for Black Friday – a day considered...
We’re launching our CyberLabs series on the latest news from the cybersecurity world. Based on practical examples, our pentester will give tips on how to prepare for potential threats...
An ESP (Email Service Provider) is a software-based service for email distribution, often based on its servers, optimized for high (mass) traffic. Many of them enable integration with CRM...
Vercom, to which EmailLabs belongs, is a European company, fully compliant with the provisions of GDPR and based solely on its own servers located in CEE. We provide our...
Email security is an essential element that every company needs to ensure during the era of evolving cybercrime. Attacks by hackers on business entities very often target precisely email...