How penetration testing can prevent web application attacks

With data breaches hitting the headlines on an almost daily basis, organisations are more aware than ever of the need to stay secure – but they’re not always aware of the best ways to do that. Penetration testing is a case in point: many successful breaches that you’ve read about could have been mitigated – or prevented altogether – with effective testing, but not enough organisations commit to regular tests.

Penetration testing is essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.

To highlight the importance and usefulness of penetration testing, we’ve produced a series of blog posts that summarises recent security incidents and how pen testing could have helped the affected organisation.

Following on from our discussion of insider threats, this blog covers web application attacks. These include exploits of code-level vulnerabilities in the application and thwarting authentication mechanisms.

Examples

  • Criminals defaced 5 million WordPress blogs in January and February 2017 after a privilege escalation vulnerability affecting WordPress 4.7 and 4.7.1 was disclosed. Multiple public exploits were shared and posted online, fuelling a frenzy of attacks in the following weeks. The attack was traced to a flaw in an add-on that was introduced in versions of WordPress released in late 2016.
  • Instagram was hacked this summer, with criminals exposing the phone numbers and email addresses of six million users. The perpetrators exploited a flaw in the password reset option of Instagram’s mobile app. They requested password resets to particular accounts and then intercepted Instagram’s response, which contained the user’s personal details.
  • In September 2017, US military contractor and international security firm TigerSwan exposed 9,402 documents containing the sensitive personal information of US military personnel and applicants for military and intelligence positions. The information was reportedly left on an Amazon Web Services S3 storage bucket and accidentally configured for public access.
  • That same month, Equifax announced that it suffered a data breach affecting 143 million customers. The breach dated back to mid-July, when criminals began exploiting a remote code execution vulnerability in Apache Struts 2, an open-source framework for developing Java web apps. This vulnerability had been identified by Apache two months earlier, but Equifax didn’t apply the patch.

How can penetration testing help?

The breaches listed here were not the result of ingenious criminal schemes; they were caused by basic security failures. Millions of people’s data and online presences were compromised because the organisations’ staff didn’t make sure that patches were applied, web applications were secure or data was kept private.

Unfortunately, mitigating these problems isn’t as simple as telling staff and web developers to do their job right. Organisations as a whole are ultimately responsible for keeping data secure, and it’s up to them to make sure security measures are in place to spot mistakes before it’s too late.

Regular web application penetration tests can find security problems in websites and web applications. Testers review server systems, static content and server-side programs that implement the application logic to identify insecure development practices in the design, coding and publishing of software.

Penetration testers will also provide recommendations for improving your security posture. Depending on the vulnerability, they might advise adjusting the organisation’s processes to keep untrusted data separate from commands and queries, developing strong authentication and session management controls, or separating untrusted data from active browser content.

IT Governance offers fixed-price and bespoke CREST-accredited penetration tests, and all our tests are followed by reports that rank and rate vulnerabilities in your systems.

If you want to learn more about penetration testing and how we conduct our tests, you should watch our webinar Cyber security: protecting your business with cost-effective penetration testing. You’ll find out:

  • How penetration testing can help prevent the most common types of attack;
  • The differences between a penetration test and a vulnerability assessment;
  • Why penetration tests are vital to uncovering vulnerabilities before criminals do; and
  • How to conduct a penetration testing programme.

The webinar will take place on 9 November 2017, from 3:00 pm. If you can’t make it, the presentation will be available to download from our website.