A vulnerability assessment is the process that identifies and assigns severity levels to security vulnerabilities in Web applications that a malicious actor can potentially exploit. The assessment is conducted manually and augmented by commercial or open source scanning tools to guarantee maximum coverage. This essential checklist is your playbook when it comes to comprehensively testing a Web application for security flaws:
Before the assessment
- Conduct test preparation meetings. Present a demo of the application, establish the scope of the upcoming penetration test, and discuss test environment setup.
- Construct a threat model. Target specific areas so as to identify the maximum number of high-severity vulnerabilities within the allotted time frame.
- Carry out developer interviews. Obtain in-depth knowledge of the application.
- Verify test environment details. Confirm the URL(s), VPN access, credentials, etc.
Automated dynamic scanning
- Choose automated scanning method. Select an appropriate commercial or open source security scanning tool, depending on the application framework, that ensures maximum coverage (e.g., Burp Suite Pro, IBM Rational AppScan, HP Fortify On Demand, etc.).
- Scan the application. Reveal many common security vulnerabilities with this form of testing.
- Conduct injection and XSS testing. Check for the presence of injection flaws like SQL, JSON, XML, and LDAP injections. Test for cross-site scripting (XSS) through all input points for the application. Determine whether forms are submitted securely, without tamper.
- Administer authentication and authorization tests. Inspect for inadequate authentication methods, improper access control definitions, and broken login processes.
- Audit session management. Review for secure session IDs/cookies. Search for instances of cross-site request forgery (CSRF).
- Investigate sensitive information exposure. Confirm that no sensitive information is revealed due to improper storage of NPI data, broken error handling, insecure direct object references, and comments in source code.
- Examine secure configuration. Guarantee that security configurations aren’t defined and deployed with default settings.
- Run transport layer security testing. Ensure that there aren’t any broken encryption algorithms and that ciphers are used to secure the communication channels.
- Carry out application spidering. Explore the application for unconventional ways to bypass security controls.
- Triage results. Verify scan results manually to separate true positives from false positives.
- Collect evidence. Take appropriate screenshots, or otherwise record the steps, to reproduce an exploit and accurately create a proof of concept.
- Complete report writing. Use a standard template to create a report of all the findings as per their risk rating.
- Conduct stakeholder communication. Allow testers to help various stakeholders to understand and justify the risk associated with each of the findings.
As you can see, a holistic application security program includes a combination of various secure processes and practices. Once the project is scoped out, your team needs to know which areas within the application have high-severity vulnerabilities. So how can you get the project rolling? Kick off your next vulnerability assessment with a threat model and lead your team to victory over security vulnerabilities.