Penetration testing and web application security

Many organisations perform penetration tests on their computer networks (also called ethical hacking). These tests are attempts to breach network defences from the Internet in order to identify security weaknesses and implement remediation measures. Ethical hacking usually covers the corporate Web site and other systems that are visible from the public Internet. Web applications, which are widely used in the financial services industry, are often overlooked and should always be included when external testing is scheduled. 

The first step for an organisation is usually to assess the external network defences and systems to ensure that they are adequately protected against attacks. The corporate website for example is a prime target for attackers. An attacker that is able to break into the system that hosts the corporate website will then attempt to leverage that access to gain further access to the internal network and systems. Email, remote access nodes as well as any server which are publically accessible should be included in these tests.

Once the network has been tested as described above, organisations should turn their attention to Web applications. Web applications can be defined as applications that are usually accessed via a Web browser such as Internet Explorer or Mozilla Firefox. They give clients access to their portfolios, personal information and allow them to perform a variety of operations ranging from trading stock, changing contact information, paying various fees to purchasing merchandise. Even if they normally require a username and a password, Web applications can constitute a privileged gateway for digital intruders because they are often linked to corporate networks, databases and confidential data.

A hacker’s strategy: Get legitimate access
A danger looms for organisations who grant online access to customers: the rogue client! A rogue client is an individual, who legitimately accesses a Web application and, once logged in, examines, probes and tests the application’s limits and safeguards. For this, we offer an example: A rogue client logs in the web application. They are able to view their personal data, the status of their investments and perform transactions.

Up to here, there is nothing abnormal. The rogue client will then most likely attempt to gain full access to the client database, view data that belongs to other clients, gain administrative access or perform unauthorised transactions. Possible motivations are corporate espionage, retaliation or simply for bragging rights within the hacker community. In our experience, these types of breaches often go undetected. When a rogue client accesses information they are not supposed to have access to, the confidentiality and data integrity implications are enormous.

Test before launch
Always test the security of a Web application prior to it being made available to clients. If weaknesses are identified, changes can be made before the application is formally launched. When a web application is being developed, the programmers should always test for security weaknesses as part of their overall development process. However, once testing by the developers is completed, the web application should be formally tested for security by an independent third party such as a quality assurance team or an outside organisation.

When the application undergoes changes or when a new version is produced, security testing should be performed once again to ensure that no new vulnerabilities were accidentally introduced with the addition of new code and functionalities. Finally, web applications should be retested on an annual basis, since previously unknown weaknesses may be discovered by security researchers and expose the web application to a breach.

Where to find help?
Unless an organisation has a quality assurance team with adequate skills that is independent from the web application development team, a third party organisation should usually be hired to assist with this critical task. When hiring a third party, organisations should meet with firms to clearly detail their needs and objectives. It is important to enquire about what methodology will be used and what reliance is placed on automated testing tools. One of the widely used web application testing methodologies is called OWASP, which is short for the Open Web Application Security Project and is largely recognised in the information security community.

A tried and true methodology will ensure that the tests cover an adequate scope to identify weaknesses which may be present. Furthermore, although automated tools are frequently used, web application security testing requires a significant amount of manual testing which must be matched with strong technical knowledge by those executing the tests. Manual testing by highly skilled web application testers will detect weaknesses that automated tools may miss and which could ultimately lead to a security breach.

The bottom line for businesses is that web applications offer practical and timely online solutions to clients but they also offer intruders a gateway into your network and confidential data. To mitigate these risks, organisations should thoroughly test these applications prior to their launch, when changes are implemented and on an annual basis. With appropriate testing, organisations can gain confidence that they are offering their clients a secure way to perform online operations and thus both parties benefit from the full potential of web applications.

penetrateSM.jpg