5 Most Popular Web App Security Testing
The importance of reliable web security is hard to overstate. Vulnerabilities in web applications can open your business to devastating attacks. There’s a lot of information about web app penetration testing methodology and related tools available on the internet, but it can be hard to find solutions that will work well for your particular situation. In order to achieve a high level of operations security (OPSEC), it’s important to understand that ensuring security is a constant process that requires a holistic, systematic approach.
This article provides an overview of how to achieve reliable OPSEC and covers five of the most popular web application security testing methodologies. It also takes a look at prominent web security testing standards and guidelines.
Main stages of OPSEC
What is application security testing? It’s a complex and systematic process meant to check and analyze the security of a web application or platform. While there are lots of tools and products you can use for running quick tests, out-of-the-box solutions don’t account for individual use cases. Therefore, it isn’t enough just to use the most popular penetration testing tools as is to ensure the security of your web platform or application.
Any risk assessment starts with identifying critical information. For an e-commerce website, this can be customer data such as credit card numbers, phone numbers, and addresses, or company-related information such as lists of suppliers, data on turnover or margins, or employee phone numbers.
The next step is creating a threat analysis and testing strategy. This step is the most important because we need to make sure that all important potential threats are covered.
1. Open Source Security Testing Methodology Manual (OSSTMM)
The Open Source Security testing Methodology Manual (OSSTMM) focuses on what to test instead of how to test it and contains web security testing basics as well as information about how to interpret the results of the tests.
From a technical perspective, OSSTMM is divided into four key groups:
The last free version of the manual, OSSTMM V3, was published in 2010, and is partially outdated. The latest version is only available for paid members.
2. Open Web Application Security Project (OWASP)
The Open Web Application Security Project (OWASP) is an open-source project that offers a wide array of free resources focused on web application testing and cybersecurity awareness.
OWASP offers several types of guides for assessing web application security:
- OWASP Top 10. This is the main OWASP publication that details the most frequently encountered security vulnerabilities in web applications according to business impact and technical complexity.
- OWASP Testing Guide. This guide contains a collection of best practices and practical security testing examples for testing web application security.
- OWASP Developer Guide. This guide contains recommendations on writing solid, safe, and secure code.
- OWASP Code Review Guide. This guide is meant for both software developers and managers; it describes best practices of secure code review and explains how it can be used within a secure software development life cycle (S-SDLC).
3. Web Application Security Consortium Threat Classification (WASC-TC)
The Web Application Security Consortium Threat Classification (WASC-TC) is a classification of website security threats. This document also contains descriptions and examples of attacks. Classifications are presented in several ways, called Views:
- Enumeration View – lists attacks and weaknesses that can compromise the security of a website and its data
- Development Phase View – tells at which stage of the development life cycle a particular vulnerability can occur
- Taxonomy Cross Reference View – helps map WASC-TC terminology to terminology used by other similar projects including OWASP Top Ten, CWE, and CAPEC
4. Penetration Testing Execution Standard (PTES)
The Penetration Testing Execution Standard (PTES) covers seven main stages from initial communication with a customer to reporting:
- Pre-engagement interactions
- Intelligence gathering
- Threat modeling
- Vulnerability analysis
- Post exploitation
Detailed descriptions of each stage as well as mind maps detailing the steps required can be found on the PTES website.
5. Information Systems Security Assessment Framework (ISSAF)
The Information Systems Security Assessment Framework (ISSAF) is separated into two parts: technical and managerial. The technical part provides a set of the most important rules and procedures for creating an adequate security assessment process. The managerial side contains general recommendations on setting up an effective testing process.
Choosing a methodology and running tests
The usefulness of each of the guidelines listed above will vary based on your particular situation. We recommend following OWASP security checklist for creating a testing strategy. For technical details, we suggest using the PTES Technical Guideline.
Once you’re done creating test documentation, it’s time to perform the actual testing and look at how your web application works rather than how you think it works.Tags: OWASP security, security testing, testing process