The biggest concern about the whole issue of Security tests in software development, is the fact, that they are often completely omitted part of the cycle. This tendency can be spotted especially in the projects that have a very tight budget - we've discussed it last month in the article of the importance of QA - where it relates to the budget cuts and redirection of the resources towards the "creative" part of the development process. The most often noticed approach (and do not doubt it - the most devastating approach at the same time) is to develop code as fast as possible, with zero concern about the threats that might endanger the big picture.
We have seen those illusionary savings backfire often enough to keep writing about it. Applications, stores, and systems, that are designed wrongly lead to huge financial and organizational losses for the business owners.
Pentests - why should you care
What penetration testing is, is a very specific type of quality assessment that we often run for our partners. Because of the increasing concern within the European Union, but also globally, about the security of the personal data stored within the databases, there is a noticeable growth in requests to verify if market-ready solutions comply with regulations.
In the first 6 months of 2019 alone, according to the Quick View Data Breach Report (https://pages.riskbasedsecurity.com/2019-midyear-data-breach-quickview-report), there were more than 3,800 breaches disclosed to the pubic, affecting 4.1 BILLION database records.
It applies to everyone - you might think that a problem with the data security applies only to the budged-focused projects mentioned in the intro, but according to their statement, even Facebook was careless enough to improperly secure passwords of as many as 600 million of its users, since 2012 - as they admitted on 21st of March 2020. In the end, the vulnerability was spotted during the internally run vulnerability assessment, which allowed for a redesign of the data defense structure more securely (https://about.fb.com/news/2019/03/keeping-passwords-secure/).
The story does not end so well always - and the material losses caused by the breaches can be counted in millions. By the end of March 2020, a malicious app, created by an experienced black-hat group managed to expose the personal data of more than 5 million Marriott International customers. The access method involved sniffing for the unsecured login credentials on the improperly secured intranet system of Marriott International - and all that was needed was the carelessness of 2 particular employees of the target. 6 months later, lawsuits are beginning to pile up, and losses will be measured in millions of dollars (https://nakedsecurity.sophos.com/2020/03/31/marriott-international-confirms-data-breach-of-up-to-5-2-million-guests/).
The general rule of thumb in data leak cases is that up to 4% of the global, yearly revenue of the company, can be ordered as a fine - up to a staggering amount of 20 million Euro.
In addition to direct recompensation claims for the people that had been the victims of the leak, Marriott had to introduce countermeasures that involved the deployment of a self-service platform for their customers to check, whether their details are included in the leaked package. The development of such an emergency platform can be a financial burden impossible to accept for entities smaller than in the described case.
How getting a pentest partner can save your data.
We see that apps and platforms start as small solutions and grow overtime exponentially, sometimes so fast that it's hard to keep up with the increasing security requirements. If the system, that is open to the public in any way, was not designed to be bulletproof from day one, and no vulnerability assessment was conducted there is a lot of work ahead to be done.
First of all, thorough research has to be conducted by the penetration test specialists to verify the existing reality of the partner's company. Having that information as guidance, we can define exact types of tests that have to be run on the platform, to expose potential vulnerabilities. It will allow us to decide, how to do the penetration testing exactly. The final result of the pentests is a summary document with the recommendations on measures to take, an order in which those should be implemented, and an assessment of the current security level of the app. In the future, the same document will serve as a guide for monitoring effort, that will ensure the recommendations are fulfilled and that the consciousness of the partnered enterprise, grows over time.
How the penetration testing magic works?
As mentioned, each pentest is a bit different and is aligned with the solution that is being investigated, but some elements are notably, always present. However, for the test to be concluded with any valuable insight, it has to include some crucial elements.
A short interview with the IT department, or at least with a delegated person from the inside of the customer's organization will be conducted. This will allow us to identify potential low hanging fruits, such as missing or incorrectly configured SSL certifications, or an application with wrong basic security protocols.
Afterward, we will need to agree on the best general approach to the penetration tests - those can be divided into 2 distinct "modes".
Assuming we are briefed with complete information about the tested environment, we run White Box pentests. That approach often outputs more thorough results but is based on the existence of information that would normally be inaccessible to the "hacker" in the first place, which would by itself, provide a small layer of additional security. Example - We are given information that we are pentesting a Windows 2008 Server, with Exchange 2003 deployed, and that's what we verify. In the wild, a threat would have to learn that information first and spend additional resources to access that information.
Black Box pentests are much more demanding and, to be honest, interesting for us. We are given just the basic information, the brief consists of only the essentials, like the IP of the target. We have no data on the configuration, on the services deployed at the target, etc. It's up to our penetration testing team to learn all about it - in this case, we turn into White Hat specialists - your personal IT Navy Seals team that lets you know how can you be threatened.
In-depth procedures that you should be aware of
Penetration testing is also split into manual and automated variants. The first - scripted one - is run using a pre-configured program that pinpoints the problems, and rejects false positives after further investigation. It always happens under the supervision of a certified engineer and includes all the SQL injection exploits, buffer overflows, cross-site scripting, cross-site request forgeries, etc. We verify if the underground's favorites are taken care of at this stage, making sure the target system can stand its ground when under attack with the thousands of different commonly used malicious scripts.
The additional layer can be optionally added to the pentest stack, with the introduction of the human element. A pentest specialist is assigned the job to get through all the components of the system, clicking it inside-out for long hours, looking for any non-standard access point that might be omitted by the automated scripts. While in our experience, automated pentests can identify a great majority of the vulnerabilities - having an actual engineer employ his problem-solving skills can lead to the discovery of the most unexpected parts of the app being broken and exploitable. Especially because there is always some social engineering being done. There is no script to "hack" a person and an experienced tester, with a little bit of a con-man inside, can do wonders when pentesting.
Optionally, as it is a time consuming and resource-heavy process, pentests can be strengthened by the in-depth code analysis. As noted, scripted pentests can identify the majority of the problems, and the human-ran tests elevate that result even further. However in some cases, for example when testing financial solutions, a more insight into the code is necessary. It can reveal the most elaborate security issues and unwanted access-points.
Penetration tests often conclude with the server scanning part. The machine is being probed for all the open ports on all protocols to reveal the open and active ones. While in itself, open ports are not considered a problem by itself, incorrect security in this level can lead to exploits - a skilled hacker will be able to choose the correct tools to access the data, knowing which protocol can be exploited. Software versions will also be checked - to see if any outdated apps are running. IT administrators often lag behind new software update releases, giving the potential attackers an open door with a written invitation to break in.
Wrap-up on the penetration test procedures
Regardless of the final scope of the tests that are conducted - it's always good to know if there are standards maintained throughout. we are trained and handle the penetration testing following Penetration Testing Execution Standard (PTES - http://www.pentest-standard.org/index.php/Main_Page) and with Open Source Security Testing Methodology Manual (OSSTM - https://www.isecom.org/research.html).
Also, engineers at codelabs.rocks are praised by their insightfulness and ability to approach the problems from unexpected angles. We stick to the helicopter-view approach and assess the target platforms, not by running preset scripts only, but by conducting a reverse analysis with the additional support of project managers.