Types of Penetration Testing for Web Applications
They are three different types of security testing/analysis; this applies to web application tests, these are:
- Black box testing – this is the closest to simulating a real-life cyber attack on your applications as the penetration testers receive no prior knowledge of the client systems, it also requires the least preparation from the company being tested.
- Grey Box testing – the middle ground test, the analysts are given some knowledge of the system being tested. This is equivalent to a user with some access to the system and malicious intent.
- White Box Testing – sometimes referred to as Clear Box or Open Box testing – this is where our analysts are provided with all information about the system being tested, including its internal structure, design and implementation. White Box testing also includes a secure code review; due to the visibility provided with this test, it may highlight security issues that would otherwise go unnoticed – this is also the least similar to a real-life cyber attack.
For web application assessments, The ConnectDS cybersecurity experts provide both unauthenticated and authenticated testing. During authenticated testing, your business provides our penetration testers with the credentials required to authenticate with the web application; this provides extra insight as it shows what information an attacker could gain if they were to use social engineering to exploit weaknesses in your people and steal an employees passwords or break in via a brute-force attack. With authenticated assessments, it is important to ascertain the different privilege levels of each of the web applications for comprehensive assessment at each level. An authenticated attack at employee and admin privileges of a web application would also highlight the potential impact of a rogue employee.
Before each web application penetration test, the ConnectDS onboarding team will liaise with you in order to understand assessment requirements, define objectives and gather all information required. During this stage, the scope of the engagement will also be defined – this means outlining which systems/subsystems are to be tested and what methods of penetration testing are allowed. ConnectDS have performed hundreds of web application security assessments and will happily offer a customised web application assessment to capture your companies bespoke requirements. Once the scope is finalised, a statement of work and agreement detailing the scope, process and timeline of the assessment will be sent out; once this is signed, the web app testing of your companies web applications will commence.