A colleague of mine who works for a different enterprise recently told me about their testing processes and how along with comprehensive application penetration testing they also use network penetration testing on their applications to ensure security at all angles. I think this sounds like a waste of time and resources. Do you agree, or are there benefits to conducting a network pen test when securing applications? If so, what would they be?
There’s not much point in having a robust, well-tested application sitting on a network that is susceptible to attack because of unknown vulnerabilities in its configuration or processes. Although hackers are currently focusing their attacks directly at Web applications, they won’t hesitate to take advantage of alternative routes to break in and steal an organization’s information assets.
You’re right in saying that of the two penetration tests, application pen testing is the more important. This is because, as I’ve just said, applications are the focus of most current attacks and because the network should already be protected by perimeter defenses such as firewalls, intrusion-detection systems and antivirus gateways. It is perimeter defenses such as these that have forced hackers to move on to attacking applications instead.
However, it’s important to test network security devices are performing as intended and are actually safeguarding the network. The interaction of multiple devices, services and functions can generate unanticipated weaknesses during system integration or deployment, which can often only be found by subjecting the systems as a whole to a pen test.
The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, and operational weaknesses in process or technical countermeasures. Network pen tests can explore how well controls such as password selection, server, firewall and IDS configurations, trust relationships between systems and remote access points standup to attempts to exploit them, as well as the ability of network defenses to successfully detect and respond to the attacks.
Compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) Requirement 11.3 requires external and internal penetration testing, including network- and application-layer penetration tests, at least once a year, as well as after any significant infrastructure or application upgrade or modification. It is also defined in industry standards such ISO 27001 as one of the important security tests an organization should regularly undertake. Also, the results of a network pen test provide evidence to support requests for increased investments in security personnel and technology. Now that makes it well worthwhile.
This was first published in November 2011