Application Penetration Testing is an application analysis performed by an experienced analyst, usually using a combination of open-source and commercial utilities for performing task-specific functions and hands-on analysis to attempt to exploit application-level vulnerabilities to business impact.
Key activities include:
- Hands-on testing by an experienced security analyst with the objective of determining if application vulnerabilities (generally discovered via Vulnerability Assessments) can be exploited to malicious end;
- Alignment of testing with OWASP to provide management with assurance that the most common application exploitation mechanism (i.e. Injection Flaws, Insecure Direct Object Reference, Broken Authentication & Session Management) have been mitigated to an acceptable level; and
- Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include; root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries
The predominant benefits realized by an Application Penetration Test are:
- Provides a measure of the probability that a vulnerability can be exploited and the impact that it may have to the organization;
- Can identify flaws in business logic that Vulnerability Assessments are usually incapable of finding; and
- Can identify where a series of minor vulnerabilities can be sequentially leveraged to malicious means.
Application Penetration Tests are best used:
- As the least expensive means to provide attestation to the net security posture of an application;
- As part of a broader "certification and accreditation" exercise to provide a higher level of assurance for critical applications; and
- As an information-gathering mechanism to focus code scanning/reviews.