Information Security Blog

Web Application Penetration Testing: Production or QA?

Web Application Penetration Testing: Production or QA?

10 Flares

10 Flares


×

Appsec Webinar OWASP blocks_thumbRecently I spoke with one of our highly regulated clients in the financial industry, who was getting “beat up” in an audit because we had jointly chosen to run the web application penetration tests in a “near production” environment rather than in their production environment.  Our thought process was as follows:

  • The web application we were testing processes highly sensitive data, where integrity is critical.
  • Web application penetration testing tools attempt to identify persistent injection vulnerabilities that may result in data being written to the database, thus impacting data integrity.
  • Reversing successful injections in a production application/database may not be possible and/or would be more challenging if inserted data “triggers” additional actions (e.g., a stored procedure that processes our injected data).
  • Testing in a near production environment that is identically configured (e.g., code base, web server, app server, database tier) provides equivalent value at virtually zero risk.
  • The client would make any required changes (dictated by the test results) in production after those changes were validated in near production.
  • Pivot Point Security would perform a network vulnerability assessment and penetration test in the production environment to ensure the security of the underlying infrastructure.

I was surprised when the auditor disagreed with this approach, especially, as it is the approach I see leveraged by the vast majority of our client base. The auditor was insistent (despite the fact that our client could document the identical nature of the near-production and production setups) that the testing should have been done in production.  When it was explained that the risk associated with a successful injection was deemed too high, he cited that the web application vulnerability scanner should have been used in a “safe” mode.

Needless to say, running in a safe mode means that it is not performing those tests that are not deemed safe. So by running in a safe mode it may miss critical vulnerabilities – essentially a false negative – which is the most dangerous result you can have in a pen test.

So he asked the auditor “ Do you want me to run:”

  1. A “safe”  test in production that may miss things
  2. A “comprehensive” test in near-production whose results are applied to production
  3. A “comprehensive” test in production that may impact the integrity of client data

To my surprise he didn’t care whether it was ’1′ or ’3′ – as long as it was run in production.  I find the answer remarkable. Do you?

I found one other thing suprising — that I could not find any “standard” guidance on this from resources like OWASP or Microsoft.

 

1


Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Best Practices for Firing A Network Security Administrator

Firing A Network Security AdministratorWant to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Whitepaper: Stop Wasting Money on Penetration Testing

penetration-testing-whitepaper

Penetration Testing is most frequently performed to:

  • Substantiate the net effectiveness of a mature control environment
  • Prove to a third party that an environment is secure/trustworthy
  • Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
  • To validate that significant changes did not have unanticipated results

Is ISO 27001 Right for (Y)our Organization?

iso-27001-webinar

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Free Whitepaper: Five Best Practices for SIEM

siem-whitepaper

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

Free Download: A Best Practices Guide to Database Security

database security roadmap

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

About the Author:

John Verry (CISA, 27001 Certified Lead Auditor, CCSE, CRISC) is Pivot Point's resident "Security Sherpa". He is lucky enough to spend most of his day helping clients develop a road map to address security, compliance, and attestation requirements.

Discussion

  1. Matthew  March 18, 2014

    Simply an ignorant auditor, or possibly mis-communication? If the auditor was saying that a scan against the production environment using the “safe” setting was needed, I see little reason not to do it IN ADDITION TO the proper, full-speed scan and pen test against the QA environment.

    (reply)

Add a Comment

10 Flares Twitter 4 Facebook 1 Google+ 2 Pin It Share 0 LinkedIn 3 Reddit 0 StumbleUpon 0 Email -- 10 Flares ×