Application security is becoming a prominent aspect of enterprise security and a crucial component in software development and deployment. Companies are investing in app security testing, especially source code review and penetration testing, to create a robust IT System. While IT departments limit using only source code reviews, it is advisable to perform penetration testing.
Here’s why:
Although, code analysis helps in producing secure code, but issues such as changes within the system, may result in making IT Systems vulnerable. For instance, PHP being installed using safe mode might be enabled during the code review stage, which might get disabled in the actual system environment. Such flaws within the source code may result into potential attacks and compromising of the system.
Furthermore, while performing source code security audits, application code, key security areas and functionality are reviewed and scrutinized line-by-line. On the other hand, in pen testing, an engineer literally ‘hacks’ into a target application to conduct a series of standard user tests to find information about the operating system, language base, security mechanisms such as input filtering and SSL, and linked apps such as media servers and databases.
Though code audits may provide granular recommendations as it helps in gaining more understanding of an app, combining it with pen testing ensures conducting full reconnaissance. With pen test, one could easily identify potential entry points that could be used to exploit system vulnerability, and take appropriate actions to provide secure identity accesses to root or administrative level.
In comparison to penetration testing, source code reviews are costlier and time consuming, as often large code bases and multiple languages are being tested. With regards to source code reviews, an engineer may spend around one hour per 1000 lines of code. Although, tools such as RATS, Application Defense and SPLINT may accelerate the review process, one may need to consider the expertise level of the engineer performing the analysis as well. An engineer with adequate experience in app security and having a hybrid background may expedite the process, as the above mentioned tools only enable engineers to conduct certain functions such as traversing code trees, finding potentially risky functions or methods.
The process is different in case of Penetration Testing Services. After completion of reconnaissance, an open source Web server scanner such as Nikto is being run in order to find out if there had been any loopholes. Thereafter, app security scanners such as AppDetective or WebInspect are being deployed. These scanners look for different vulnerabilities in the system, which includes authentication weaknesses, SQL manipulations etc. In case of any issues, they are later required to be verified manually as well. Post verification, one would need to conduct fuzzing in order to unearth exploitable code and run some custom attacks to find out more vulnerability in the app. Usually such a process take about 40 to 200 hours, wherein each web page may take about two to four hours to be properly assessed.
With advancement in technology and newer hacking threats, it has become imperative to conduct a thorough app security testing. Reason why one needs to go beyond the tradition source code reviews of static and dynamic testing, and include penetration testing as well.
