The Open Web Application Security Project (OWASP) is an open community focused on improving the security of application software. It, too, is a strong advocate of Web application penetration tests as part of a secure software development lifecycle. The OWASP testing guide includes a "best practice" penetration testing framework, which security professionals can implement in their own organizations, and a "low-level" penetration testing guide that describes techniques for testing the most common Web application and Web service security issues.
It's not just software security experts that see Web application penetration tests as critical. Compliance with requirement 11.3 of the Payment Card Industry Data Security Standard (PCI DSS), for example, mandates that you perform external and internal penetration testing, including network- and application-layer penetration tests, at least once a year as well as after any significant infrastructure or application upgrade or modification. Similarly, independent penetration testing of government systems in the U.K. is now a core requirement when testing protections against external attack, thanks to last year's Data Handling Review, which investigated U.K. Departmental security practices.
So why are Web application penetration tests still so important? Well, the aim of the secure software development lifecycle is to reduce the number of security-related design and coding defects, and to reduce the severity of any defects that do remain undetected. But there still may well be defects present even in the most scrutinized of applications. Web 2.0 applications, for example, are becoming so complex with increased permutations of user and service interaction that even combining manual or automated scans and assessments may not uncover an exploitable flaw.
Until scanners can harness true artificial intelligence and put the anomalies into context or make normative judgments about them, they will struggle to find certain types of vulnerabilities. A vulnerability assessment simply identifies and reports vulnerabilities, whereas a penetration test attempts to exploit vulnerabilities to determine whether unauthorized access or other malicious activity is possible.
Security holes can also be introduced when an application is deployed and interacts with other processes and the operating system itself. The interaction of multiple functions can generate unanticipated errors, which only become apparent during component-level integration, system integration or deployment. By performing a penetration test to simulate an attack, it's possible to evaluate whether an application has any potential vulnerabilities resulting from poor or improper system configuration, hardware or software flaws, or weaknesses in the perimeter defenses protecting the application.
Unfortunately, an "all clear" result from a penetration test doesn't mean that an application has no problems. Penetration tests can miss weaknesses such as session forging and brute-forcing detection. This is why security throughout an application's lifecycle is so important. Vulnerabilities are discovered continually by malicious individuals and researchers, and being introduced by new software. Scheduled penetration testing helps ensure security is maintained over time, particularly as new software or changes to system configurations alter the environment in which an application is running.
Dig Deeper on Web Application Security
Related Q&A from Michael Cobb
What is BGP hijacking or IP hijacking and how do cybercriminals pull off the attacks? Expert Michael Cobb explains how enterprises can mitigate these...continue reading
Is the Dell eDellRoot security threat a serious problem and, if so, can it be prevented with self-signed root certificate authorities? Expert Michael...continue reading
What does FIPS 140-2 Level 2 certification for devices cover? Expert Michael Cobb explains the FIPS 140-2 security standard and how vendors use it in...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.