According to WhiteHat’s 2017 application security statistics report, 30% of total breaches reported involved attacks on web apps. Quite a reason for companies to wonder how secure their applications are. To assess web apps’ security, companies turn to security assessment providers. The providers offer two major techniques: source code review and penetration testing (in this article, we refer to black box penetration testing as the most widespread type of pentesting).
Let’s explore the two approaches to understand if they are worth implementing.
Source code security analysis (source code review) is the examination of an application source code to find errors overlooked in the initial development phase. A tester launches a code analyzer that scans line-by-line the code of an application. Once the analyzer, deployed in a testing environment, finds vulnerabilities, the pentester manually checks them to eliminate false positives.
The amount of time a tester spends on source code review varies with the programming language and the size of the application. For example, 1000 lines of code may take 0.5 – 2 hours to analyze.
The strong point of source code review is the ability to identify the following vulnerabilities:
- Encryption errors. These include weak encryption algorithms, as well as strong encryption algorithms with weak implementation (e.g., insecure key storage).
- All cases of SQL injections, XSS (cross-site scripting) vulnerabilities.
- Buffer overflows (more data is put into the buffer than it can handle).
- Race conditions (performing two or more operations at the same time).
Moreover, if penetration testing allows spotting a vulnerable web page, source code review enables pentesters to find vulnerabilities at the root level (to detect errors in a function or a module used in several web pages). That saves a pentester’s time and a customer’s money.
Penetration testing is a procedure where a pentester hacks a web application to uncover vulnerabilities in the app. The process is more time-consuming than a source code review because it includes several stages. First, the pentester performs reconnaissance against the target application through a set of user tests and runs a web scanner to find entry points. After that, he or she exploits vulnerabilities trying to escalate privileges to the administrative level.
Depending on the complexity of the web application, the procedure may take from 20 to 400 hours.
Some vulnerabilities can be discovered with penetration testing only:
- Search engine indexing. Local search engines of the app may reveal pentesters sensitive data, such as copies of a passport or a driving license.
- Vulnerabilities caused by misconfiguration. These are the cases when internal services and documents are available through the internet, the use of default credentials like “admin” and “user”.
- Weak authentication, for example, weak password or CAPTCHA, password reuse.
- Logical errors in the role-based access, when a particular information is available to a wider range of users.
Besides, penetration testing is required by security standards. For example, compliance with Health Insurance Portability and Accountability Act (HIPAA) includes a two-factor authentication, an automatic logoff and emergency access to electronic protected health information (EPHI).
The key advantage of penetration testing is that it is risk-based. During the reconnaissance stage, the pentester learns about the customer’s business through the web application. It helps to identify high-priority risks and build business-specific test cases. For example, if the target application is a local search engine website, the pentester will prioritize vulnerabilities that lead to data mining attacks over XSS vulnerabilities.
Source code review checks the quality of the web application code. Penetration testing, in its turn, reveals the issues with web app logic. Source code review + penetration testing done by different pentesters are an effective combination that covers most of web application vulnerabilities.
In the case of corporate web applications, it’s more sensible to invest in security than try to remediate security breaches. And if you prioritize security in your business, you need both code review and pentesting.