PENTEST - Penetration Test

Well known when the subject is application security, Pentest is abbreviation for Penetration Test, which is nothing more than an intrusion test. Pentest makes a thorough detection with techniques used by security experts hired to perform such tests without harming the company’s activities.

This tool can be an important ally for your business. This is so because it is a way to detect and explore existing vulnerability in the systems by simulating hacker attacks. Evaluations are useful to validate the effectiveness of application defense mechanisms.

In the Pentest, there are some ways to perform intrusion tests and each will have a certain efficiency level. Among the best known are White Box, Black Box and Grey Box.

White Box is the most complete Pentest as it is based on a full analysis evaluating the entire network infrastructure. Black Box is like a blind test without a large amount of data available. This is the closest to the characteristics of an external attack. And Grey Box is a mix of both as it has certain specific data to perform the intrusion test. However, the amount of data is low. In this case, the expert consulting can assist you at which time each type of test would be more appropriate.

There are several types of Pentests that can be used in both applications and other fronts, such as wireless network, network services, among others. See the benefits for your business:

  • Allows your company to adopt new postures with regards to security.
  • Identifies systems fragilities before product launch.
  • Reinforces your business confidence and reputation as it shows your company’s commitment to application security.

DAST - Dynamic Application Security Testing

To understand what DAST is you need to know that there are two types of AST: the static one (SAST), and the dynamic one (DAST). DAST works from the outside, and SAST is based on the source-code.

DAST means Dynamic Application Security Test. It tests the exposed interfaces in its search for vulnerabilities. As explained above, the test is done outside in. In this case, the interface is enough for the specialist to perform the test.

We can say that DAST was created to improve a few SAST deficiencies. This is because DAST is executed on the outside of the app, so it does the test in the same way as an invader would attempt to get in. By performing tests this way, DAST is best suited to identify types of vulnerability such as, for example, configuration errors.

But it is worth remembering that the rules that support DAST must be fully customized in order to be effective. This requires significant experience with information security. Look for a qualified team able to help you with it.

As your app is changed and updated, you need to also update the DAST rules. Therefore, this tool needs investment and monitoring along the whole development life cycle.

SAST - Static Application Security Testing

SAST aims to identify the vulnerability of its source-code before it is put into production. It is like a direct review of the source-code. For this, static code analysis techniques are used to search for glitches without having to execute the code.

This way, SAST manages to find problems in advance and before implementation, and since it is working on the code it can provide the team with detailed information so that adjustments can be made.

But you will have to be on alert. Since the code is not executed, SAST may commit a few inaccuracies. And this may end up in false positive or false negatives. That is, it can consider safe codes as vulnerable ones, and may not detect possible vulnerability problems.

That is why an effective SAST requires specific source-code knowledge as well as special understanding of possible negative results.

Protect your applications and your brand reputation

Talk to our consultants. We are available to help you increase the security of your applications.

IAST - Interactive Application Security Testing

IAST is a tool that combines SAST and DAST techniques to increase the accuracy of application security tests. We can say that instrumentation involves an approach similar to that of an “agent”. A IAST Agent is performed on an app server and actively monitors the behavior of this solution while being used.

This way the tool connects to several app functions to identify security problems, as it is able to “see” problems from the inside out (SAST) as well as from the outside in (DAST).

IAST has almost 100% accuracy. Another advantage is that IAST tools are able to find failures and point at vulnerable code lines. It also manages to detect some false positives by combining and testing the code. This way the false positive rate is reduced.

Disadvantages are that IAST can only test applications in languages supported by its library. Current IAST tools support only a few languages, such as Java, python, ruby, node.js, and .net.

In any event, IAST mainly stands out for its usability in the development process. Companies that build their own applications need to know there might be problems as soon as possible thus avoiding extra costs and risks associated with vulnerabilities in production.

Code audit

To create safe applications you need to follow the security principles at all development stages. The security architecture must be designed so as to allow for the implementation of a fault-free code. That is why the audit is an effective technique as more than half of vulnerabilities are caused by implementation failures. With this kind of detailed analysis companies can save time and money.

Code audit is recommended for validating a solution’s security and performance optimization. Even after being delivered this work cannot and should not stop. The audit verifies whether the techniques were correctly used as well as possible failure points. Following such analysis a report is generated and used for implementing a range of measures to ensure security.

This way, code audit can be carried out in three different ways: static, dynamic or manual. The manual method is the older one to identify vulnerabilities. The method can be rather slow to detect errors in the source-code. Some companies adopt peer review, where a new piece of code can only be accepted to the main code base once has been reviewed by another developer.

The static analysis carries out an automatic, compiled check. Through flow control and search for standards, this analysis seeks to identify both simple and complex failures on the entire source-code; it is widely used.

In the dynamic analysis, on the other hand, the behavior of the application being executed is analyzed. Just like a hacker that attempts to find vulnerabilities while the application is running. The advantage resides in exploring other vulnerabilities that couldn’t be just found in the code.

API Security Test

Before explaining what the API Security Test is, it is worth remembering that of all the components in an app, the APIs (Application Programming Interfaces) provide an easier access point for a hacker wanting to steal your data. That’s why the security test is so important.

API tests can appear simple, but their implementation needs to be paid attention all the way. Before starting the API test, it is important to detail the objective, the application’s workflow, any supported integrations, and the API features and resources.

For an API integration validations, its functions are executed and then validation is made if the result returned is what was expected for the interface or the API itself.

Know the main validations you should be paying attention to when testing an API:

  • It is necessary to validate the returned status;
  • Validate the response body and return header;
  • Check how the API behaves when the service is out;
  • Validate the return header;
  • Validate the API behavior with an incorrect structure;
  • Check and validate the return based on the requirements set for each type of data sent in your API.

And don’t forget: dedicated automation engineers are recommended for this test phase. Skills and knowledge will make all the difference.

Vulnerability Management and Risk Scoring

Vulnerability Management is a proactive way to manage security by minimizing the risks of source-code or architecture failures that might compromise the app.

As in other management processes, it is based on the adoption of routine practices and processes aiming at reducing failures and integrating this work into the operation routine. Companies should understand the importance of creating such policy.

Problems can be identified with automated vulnerability scan solutions. After mapping vulnerabilities, the use of a risk matrix is recommended to help identify the most critical problems and prioritize them by order of importance for your business.

It is worth remembering that this process needs that periodic steps be taken for continuous improvement. If maintenance is not performed on an on-going basis, the process becomes inefficient. For this reason, ensuring the app proper functioning will depend on the management process. And if you don’t know how to implement it in your company, look for vulnerability management experts capable of identifying the risks of your solutions.

Risk Scoring is a classification based on several factors designed to identify the vulnerability risks of an app. This way, this score will show whether this is a risky app.

The Risk Score also contains information on the maturity of the use of this specific app. This allows the company to have important data and information on vulnerability for decision making purposes.