Last Updated on
Reading Time: 2 minutesRecently I spoke with one of our highly regulated clients in the financial industry, who was getting “beat up” in an audit because we had jointly chosen to run the web application penetration tests in a “near production” environment rather than in their production environment. Our thought process was as follows:
- The web application we were testing processes highly sensitive data, where integrity is critical.
- Web application penetration testing tools attempt to identify persistent injection vulnerabilities that may result in data being written to the database, thus impacting data integrity.
- Reversing successful injections in a production application/database may not be possible and/or would be more challenging if inserted data “triggers” additional actions (e.g., a stored procedure that processes our injected data).
- Testing in a near production environment that is identically configured (e.g., code base, web server, app server, database tier) provides equivalent value at virtually zero risk.
- The client would make any required changes (dictated by the test results) in production after those changes were validated in near production.
- Pivot Point Security would perform a network vulnerability assessment and penetration test in the production environment to ensure the security of the underlying infrastructure.
I was surprised when the auditor disagreed with this approach, especially, as it is the approach I see leveraged by the vast majority of our client base. The auditor was insistent (despite the fact that our client could document the identical nature of the near-production and production setups) that the testing should have been done in production. When it was explained that the risk associated with a successful injection was deemed too high, he cited that the web application vulnerability scanner should have been used in a “safe” mode.
Needless to say, running in a safe mode means that it is not performing those tests that are not deemed safe. So by running in a safe mode it may miss critical vulnerabilities – essentially a false negative – which is the most dangerous result you can have in a pen test.
So he asked the auditor “ Do you want me to run:”
- A “safe” test in production that may miss things
- A “comprehensive” test in near-production whose results are applied to production
- A “comprehensive” test in production that may impact the integrity of client data
To my surprise he didn’t care whether it was ‘1’ or ‘3’ – as long as it was run in production. I find the answer remarkable. Do you?
I found one other thing suprising — that I could not find any “standard” guidance on this from resources like OWASP or Microsoft.
Free OWASP ASVS Testing Guide
If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!
Hello and appreciate your article! I also have clients who are apprehensive about pen testing apps in production but required to do so by audit. Has there any further discussion on the case you have presented, even how to ensure the non-prod environment is (or nearly) a mirror image of prod?
thanks for your help,
Gerry Asche
Internally, we’ve discussed this at length. The “right” answer really comes down to what the client wants. We’ve performed several penetration tests against applications that are within the client’s PCI CDE (which states testing should be performed against production). How the testing was conducted, usually came down to what the auditor wanted to see. We had some who were fine with us testing the application at the client’s DR site, or a production equivalent staging environment. However, we’ve also worked with auditors that wanted the application tested in the live, production environment. In those cases, we documented exactly what we would be attempting, with potential results, and had both the client and auditor acknowledge the risks. We then tested in production, in off-hours after confirming they had a valid, full DB backup (or any method to roll back changes).
The bottom line is that some standards (and/or auditors) dictate that an application must be tested in the production environment. The best thing you can do educate them to the potential risks, ensure they have some sort of working disaster recovery method, and agree upon procedures should your testing cause an issue in production.