When developing a web application for a new service, organizations and their web developers are faced with the issue of security. Although many web developers may have a general idea of how to ensure their web applications are secure, most experienced organizations are aware that this is not their area of expertise. This is where application security testing comes in.
What is Web Application Security Testing?
Web application security testing is the process of testing, analyzing and reporting on the security level or posture of a web application. This form of testing is used by web developers and security administrators and performed by ethical hackers to test and gauge a web application’s existing security controls using automated and manual security testing methods. The critical objective behind web application security is to identify any vulnerabilities that could jeopardize the security of the web application.
The testing process usually involves a series of crafted attacks designed to see how well the web application performs and responds. The overall security testing process is generally followed by a formal report that includes the identified vulnerabilities, possible threats and recommendations for resolving the security gaps.
Who Performs Web Application Security Testing?
When faced with the issue of securing a web application, organizations have historically employed penetration testing companies for their vulnerability testing. Regrettably, the vulnerability report is only ever as thorough as the skill set and integrity of the ethical hackers (also known as penetration testers) who performed the testing.
While you may have two companies marketing themselves as penetration testers, the quality of the results attained, for the same web application, may differ dramatically based on the level of detail and effort that went into the testing process, as well as the skill and experience of the testers involved. This uncertainty may leave some organizations feeling less than confident in the reliability of their test results. After all, if even one vulnerability is missed, it could spell disaster.
Unsurprisingly, in an attempt to eliminate or reduce the possibility of undiscovered vulnerabilities, the idea of opening up the number of testers, or crowdsourcing, to the world wide web was initiated, and bug bounty programs began to take off.
What is a Bug Bounty Program?
A bug bounty program, also known as a vulnerability rewards program (VRP), is a crowd-sourcing initiative that rewards individuals for the discovery and reporting of bugs, especially those pertaining to exploits and vulnerabilities.
The idea here is that by increasing the number of individuals involved, one should logically expect that there would be a lower likelihood that a vulnerability will be missed which could ultimately lead to a security breach.
Where this method of vulnerability testing falls down is in its relative anonymity. It is questionable how much background information on each of the testers you may be able to acquire. While some programs may require identity verification, apart from signing up to popular crowdsourced security platforms, such as Bugcrowd or Hackerone, literally anyone can be a bug hunter.
To make matters worse, there are some who use this as their primary source of income. As bug bounty hunting can sometimes be a long, unrewarding process, the issue of ethics becomes a concern.
Case Study: Ryan “Phobia” Stevenson
Over the past several years, Ryan Stevenson, known online as “Phobia,” has been one of the most active bug bounty hunters in the past few years. Gaining public acknowledgement from major telecom companies including AT&T, T-Mobile, Verizon and Sprint for his discoveries, Ryan has also been credited with reporting a significant number of security vulnerabilities on websites, aiding in the security posture of several websites.
When Brian Krebs of KrebsOnSecurity tried to find out more information on Ryan, he was led to various sales forums that trade in stolen customer data. To put things in perspective, the same individual who was being paid to discover vulnerabilities, as part of a bug bounty initiative, was also found to be selling the customer information that his discoveries had intended to protect.
While bug bounty programs may seem like a decent option, the overall increased exposure involved in bug bounty programs, as well as the anonymity and unreliable income of bug hunting, makes them an inherently risky endeavour for organizations looking to secure their web applications.
Where do we go from here?
Ideally, any organization looking to secure their web applications, infrastructure or otherwise, should be looking for a company who not only specializes in penetration testing, but also one that is entirely transparent in their approach, their staffing procedures and, above all else, one that is held accountable by their reputation and their brand.
What is a Penetration Testing Consulting Company?
A penetration testing company is a group of like-minded individuals who specialize exclusively in the practice of ethical hacking or pen testing. A penetration testing company is engaged in the business of giving expert advice to organizations regarding the cyber security posture of their infrastructure, web application and mobile web applications.
Where these individuals differ is in their accountability and the expectations placed upon them to manage a job, specifically the security of a web application, in its entirety. Where a bug bounty hunter may only be concerned with finding the highest risk/reward vulnerabilities, a consulting firm takes on the whole of a web application, infrastructure or otherwise as defined in the client’s scope. In other words, they aren’t just looking for one vulnerability, or one “way in” they are looking for all of them, in order to secure the engaged systems as a whole.
Last but not least, because the sole reward for a bug bounty hunter is compensation for the discovery of a single vulnerability, a consulting firm puts their reputation and livelihood on the line with each job they take on.
“It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”
At Packetlabs, our mission to continually stay on top of current threats and vulnerabilities has helped distinguish our testing from our competitors. Often times, firms will try to commoditize security testing by performing automated testing (VA scans) with little benefit to the client. Our methodology only begins with automated testing. Thereafter, our extensive experience allows us to manually uncover high-risk vulnerabilities which are often missed by conventional testing methodologies.
We mandate training and continually learn and adopt new attack techniques for our clients. We are always digging deeper to uncover vulnerabilities that may have been overlooked. Our mission is to maintain the fact that not one of our clients have been breached by a vulnerability we’ve missed; we take this very seriously.
To date, our clients occupy multiple industries including: government, law enforcement, technology, media, retail, healthcare and financial, consulting and telecom.
Our slogan, Ready for more than a VA scan?® proves our commitment to the industry to provide only expert-level penetration testing. Our team of consultants think outside the box to find weaknesses others overlook, and continuously learn new ways to evade controls in modern networks.
For information on Choosing a Penetration Testing Company, or to learn more about the services that would best suit your organization, please review our website and contact us for in-depth information on how to prepare your organization.