Penetration Testing Methodology for Web Applications

Establishing a penetration testing methodology is becoming increasingly important when considering data security in web applications. The more we come to rely on networked communication and cloud-based data systems, the more we leave ourselves vulnerable to potentially damaging cyber attacks by outside parties.

While designing and safeguarding secured systems has become standard, how can you be certain these systems work? The answer lies in building a comprehensive penetration testing methodology to protect your information assets.

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

What is Penetration Testing?

Think of a penetration testing methodology—or "pentesting" for short—as a controlled cyber attack during which your best defenses are put to the test and exploited to determine the extent of vulnerabilities in your web applications.

Essentially, designing and implementing a penetration testing methodology allows you to:

Hack your own system in a proactive, authorized environment, focusing on elements such as IT infrastructure, OS vulnerabilities, application issues and user and configuration errors;
Analyze and validate both system defenses and user adherence to system protocols; and
Assess potential attack vectors such as web applications, wireless networks and devices and servers.

Unfortunately, no data is safe 100 percent of the time. But an effective penetration testing methodology can do wonders for eliminating unnecessary vulnerabilities.

What Are the Benefits of a Penetration Testing Methodology?

The stakes are high for data security. With an effective penetration testing methodology, you can:

Identify vulnerabilities that scanning software cannot;
Not only test those vulnerabilities, but also determine how prepared network defenders are to both detect and respond to attacks in a timely manner;
Determine the potential magnitude of a successful attack; and
Ensure all compliance protocols for data security are being met (a consideration especially important in the payments industry).

Another benefit of taking your penetration testing methodology seriously is its potential affect on internal culture. When organizational leadership demonstrates a clear commitment to data security, it reinforces its importance to employees, who will then be encouraged to follow user-end protocols to the best of their abilities.

How Often Should a Penetration Testing Methodology Be Performed?

An effective penetration testing methodology is executed regularly. As the general wisdom goes, it's better to be proactive and strengthen your web applications' defenses now than to wait until you've already suffered an attack, losing valuable data in the process.

In planning your penetration testing methodology, consider your industry. Not everyone is going to have the same security needs, but it's your company's responsibility to make sure confidential information stays confidential.

Your organization should deploy its penetration testing methodology regularly, but especially when any of the following occurs:

Regulations specific to your industry mandate it. For the payments industry, for example, this can be a quarterly requirement. In other sectors, pentests might only be an annual requirement.
Any alterations to network infrastructure or web applications (internal or external). This could entail upgrades, modifications, security patches, new additions or total overhauls.
Policies change. This is especially common on the end user side of the equation. Policy changes affect the nature of the user's interaction with the web application, which could create new challenges.
Your organization moves or adds a new location. This includes remote employees, who will be accessing web applications through their ISP rather than your organization's secure network.

Finally, when designing your penetration testing methodology, err on the side of caution. If you think you may need a pentest, you probably do. Pentesting may not be free, but the cost is preferable to a data breach.

Building and Effective Penetration Testing Methodology

In the previous decade, although support was building for establishing a more widely practiced penetration testing methodology, no standard materialized until 2010 with the introduction of the Penetration Testing Execution Standard (PTES).

In the current version of the standard, PTES is divided into seven main sections:

Pre-engagement Interactions
Intelligence Gathering
Threat Modeling
Vulnerability Analysis
Exploitation
Post Exploitation
Reporting

These elements can be considered the fundamental elements of any penetration testing methodology. We will explore each of these points in the following sections.

Pre-Engagement Interactions

When building your penetration testing methodology, remember that pentesting requires a lot of trust. You will want to find a provider that is both experienced and familiar with the particular needs of your business.

Remember, you're essentially asking your provider to hack your system, so some ground rules should be established first:

What is the Scope? Do you want a particular area of your business targeted, or your business in general? What (and who) is off limits?
What Is the Schedule? You still have a business to run, so it's important to establish during which hours the pentest is to be performed. The overall timeline of the pentest should be established as an essential element of your penetration testing methodology.
Blackbox or Whitebox? In a whitebox test, the pentester is given baseline access or information to begin and is then charged with exploiting any weaknesses from that position. In a blackbox test, the pentester begins with nothing, just like an outside attacker.
Who Are the Contacts? It's important that communication channels be established between all involved parties, as lapses in communication could have a variety of unintended consequences.

As the foundation of your penetration testing methodology, pre-engagement interactions should be considered very carefully.

Intelligence Gathering

In this phase of your penetration testing methodology, your provider begins the preliminary steps of planning their attack. In a properly planned pentest, the provider will have a clear idea of what is off limits and what is fair game.

Understand that your provider is not doing their job if they're not turning over every leaf looking for information about your business, its employees, its assets and its liabilities. As such, the time spent on this step of the penetration testing methodology can be quite extensive.

Again, remember that establishing ground rules is important in your penetration testing methodology. Providers (and the actual hackers) are accustomed to discovering information however they can—even if that means searching through the company garbage.

Threat Modeling

Once relevant documentation has been gathered, the next step of the penetration testing methodology is to use that information to build a complete profile of your company and its assets. Once this is established, target primary and secondary assets will be determined and further scrutinized.

Assets could entail a variety of different elements, including organizational data (e.g., policies, procedures, trade secrets), employee and customer data and "human assets"—high-level employees that could be exploited in a manner of ways. In a good penetration testing methodology, the provider won't be biased in what assets they're seeking out unless they are instructed to. Otherwise, they will work to identify those with the highest value.

Vulnerability Analysis

With the target assets established, the provider will then work to determine the best entry point to exploit those assets. A good penetration testing methodology will provide strict guidelines on project scope to ensure the client's desired outcome is met.

Sometimes this analysis can be a no-limits effort to uncover all potential vulnerabilities. In other cases, the provider will be asked to target a specific set of potential trouble spots. In a thorough penetration testing methodology, the extent of the vulnerability is then assessed, including the level of weakness and the sensitivity of the information it might expose.

Exploitation & Post-Exploitation

The next step in the penetration testing methodology is the attack itself. Just as in a real-world data breach, a properly executed exploitation can happen very quickly.

Once the provider has gained access to your systems, they will not only continue working to avoid detection, but also attempt a strategy known as "privilege escalation" to gain greater access to the system, as well as additional potential assets.

As the penetration testing methodology progresses to post-exploitation after the target has been achieved, the provider will assess the value of the compromised machine or entry point and determine whether it could be further exploited for later use.

Reporting

Clearly, a thorough penetration testing methodology involves a great deal of work in data collection, analysis and exploitation. But how will the provider report on this information so that your organization can turn it into actionable solutions? Here are some considerations:

11 courses, 8+ hours of training

Get Specifics: High-level recommendations may provide a basic context for the problems with your web applications, but they aren't always very helpful to the people charged with implementation.
Walk-Throughs: Nothing beats learning through experience. Providers should be prepared to show relevant employees and specialists exactly what they did—and also how difficult it was to accomplish.
Risk Level: Naturally, the more challenging an attack is to pull off, the harder it will be for others to do so. Providers should include a detailed report on the risk level of the vulnerabilities they encountered, as well as an assessment of the potential business impact if they are exploited.

Finally, don't be afraid to ask questions of your provider. A good penetration testing methodology, after all, is all about being as informed as possible.