What Do These Different Terms & Services Mean?
Maybe you are new to the information security space or are looking for some definitions in everyday language that detail the services we are discussing. If so, then the content below is just what you’re looking for.
|Unauthenticated Scan||Authenticated Scan||Authenticated Manual Testing|
|Basic Vulnerability Checks|
|Thorough Automated Vulnerability Checks|
|Business Logic Flaws|
When we discuss application testing, we often talk about testing your application as an authenticated user (working login/password) and as an unauthenticated user. We strongly prefer to perform testing from both perspectives to give you a complete idea of your application’s risk. If we were to only perform unauthenticated testing, this may give your organization a false sense of security as many applications have the majority of their functionality available after the user has authenticated/logged in to the app. Additionally, sometimes functionality that is available to authenticated users can be mimicked or reproduced by an unauthenticated user, meaning that vulnerabilities may be leveraged by both authenticated users of the system (insider threat, etc. ) as well as unauthenticated attackers.
Every application has various functions for which they are built. For example, a banking application may allow a user to view their balance, move funds between accounts, open new accounts, request a loan, etc. Testing applications for business logic flaws is the process of seeing if the tester can trick the application into performing actions which fall outside the designed functionality. In the banking application example, testing might involve trying to withdraw or send money from an unauthorized account, create additional users for an account you do not own, view the balance of an account that is not yours, etc.
Attackers often try to steal session tokens because if they successfully steal a user’s session tokens, they may be able to impersonate that user. Because HTTP is a stateless protocol, stealing a user’s session tokens is often enough to be able to perform functions as the compromised user. Because session tokens are of such high importance in a web application, protecting them and ensuring the logic surrounding session management is robust is of the utmost importance in your web application.
Using the example of a banking application again, there are often several different types of functions available, such as banking client, bank teller, bank manager, IT administrator, etc. Using the most common account type, a banking client, it is very important to ensure that user Bob Smith cannot see John Doe’s banking information. Additionally, it is also important that Bob Smith, a normal banking client, cannot perform the functions of a bank manager, IT administrator, etc.
|Vulnerability Scan||Penetration Test||Red Team Assessment|
|Physical Security Testing|
A vulnerability assessment is a security test that uses automated tools in order to quickly identify a large range of vulnerabilities. A vulnerability assessment is generally a detective test, meaning that vulnerabilities are detected, but are not exploited. We take the additional step of manually validating findings wherever possible to ensure there are minimal false positives included in the results.
A penetration test includes the steps involved in vulnerability testing, but takes things a step further by attempting to exploit vulnerabilities or leverage other weaknesses in a client’s network/application to gain additional access to their environment. In addition to exploiting vulnerabilities, this type of testing may include brute-force testing to identify accounts with weak passwords as well as privilege escalation, which can allow an attacker with an initial foothold on the network/application to gain access to additional information and/or systems. The goal of this testing is often to gain elevated privileges (domain/enterprise administrator) and/or to gain access to sensitive data/systems on a client network/application.
These terms can apply across multiple types of engagements, but pivoting is the process of using an initial foothold on a network or application (access to a user’s desktop, for example) to attempt to gain access to additional systems/information. Privilege escalation is the act of attempting to leverage a vulnerability or logic flaw in order to gain access to a user/process that has more privileges than what you started with, allowing you to gain access to more privileged information/access than the initial user/process can access.
This type of assessment can be done in a variety of ways and is very much dependent on the outcomes our client is looking for, but is designed to be an adversarial simulation where our engineers perform the types of tests that may happen in the real world. From vulnerability exploitation to breaking into a facility to the use of social engineering and/or malware, this is as close to a no-holds-barred assessment as you can get.