- On February 18, 2018
How to Prepare for a Web Application Penetration Test
A website’s security is among the top priorities that web developers work on. They always look for vulnerabilities and bugs in the system – and a penetration test can help them do that.
A web application penetration test, simply known as a pen test, is a frequently used method to test the security of an IT service. It is usually performed by finding and actively exploiting known system and application vulnerabilities, as well as – depending on the type of the test – creating custom ones. The test can be passed if after a certain amount of time the pentesters were unable to breach through your defenses and/or were unable to:
- Extract any confidential information using MitM attack or other techniques;
- Perform a successful CSS or SQL Injection attack;
- Impact the performance of your servers or applications in a negative way without having authorized access to them;
- In some cases, when a social engineering attack is included in the test, the way you and your colleagues react to “human hacking” attempts will be assessed.
If you’re a web developer, a pen test can be nerve-racking. You know that it is practically a must to put one of those in place, however it could be a bit scary. What if the whole application should be altered after seeing the test results?
Well first of all remember this: the pen test is not a competition. You’re not racing for the best score from the security company. You’ve done your best while developing your product and the underlying architecture. Now you just need to know where and what the bad guys could eventually do if they had the chance and the motivation to do so. Hint – they will have both, eventually.
So how can you prepare for possible attacks and the test itself? Below are some tips to ensure that your web application is secure and ready to pass both.
#1: Secure Coding Practices
Most developers rarely think of security during the development phase of a web application. Their job is to write code that is functional and can develop the system. This is most especially true for new developers. For a web application to be secure, you can try to write better and more secure codes. Here are some secure coding practices you should remember:
- Validation – make sure that you get the right data from the user input. If the data is not valid, prompt an error message to the user.
- Sanitization – limit or even remove other special characters and whitespace in your HTML forms. This prevents a user from entering a code that can penetrate your system.
- Escaping – use escape sequences in your PHP code when getting or displaying strings. This also ensures that the data inputted does not have any special characters that can create malicious code.
The bottom line here is that you should never trust user input.
#2: Have Working Backups
Having a working backup of your important systems, as well as your databases, is important when undergoing a pen test. Your backups must be up-to-date, tested, and readily accessible. This can help you fix any availability issues that might happen after the pen test, especially when the test has broken the system.
#3: Be Prepared to React
After the testing is complete, you might need a long period of time to correct and fix any issues found during the test. Plan as early as you can to allocate time and resources for post-test issues. Propose a timeframe for making corrections on your web application.
When fixing your web application, always prioritize on the recommendations given by the security testers or consultants. Working on them may take a long period of time, but this ensures that your website’s security is improved. The same goes for your sense of security for developing future web applications.
#4: Running a secure app on insecure platform is bad. Very bad. Remember to always patch your OS and applications with the latest security updates. If you choose to use AWS to deploy your product you can use the Golden AMI workflow do deploy pre-patched images. Pre-patched images = less overhead for managing OS security. A blogpost for this is coming, so stay tuned! The CIS AWS Best Security Practices are also a good place to start if you’ve chosen Amazon Web Services for your cloud provider.
According to Symantec’s monthly threat report, there were elevated web attacks for five months on 2017. However, phishing rate slightly decreased on January 2018, with only 1 in 2836 emails posing a security risk.
On a large scale the goal of the web application penetration tests is pretty simple: to reduce the risk of successful web attacks. On a company level though, a secured and well-maintained application could easily make the difference between a successful business and a struggling one. Always keep in mind that best security practices should be followed all the time, even without an upcoming pen test. Keep yourself secure, because you may not know when an actual attack will happen.