Penetration Testing with Source Code Reviews in App Security?
Application security is becoming a prominent aspect of enterprise security and a crucial component in software development and deployment. Companies are investing in app security testing, especially source code review and penetration testing, to create a robust IT System. While IT departments limit using only source code reviews, it is advisable to perform penetration testing.
Although code analysis helps in producing secure code, issues such as changes within the system may result in making IT Systems vulnerable. For instance, PHP being installed using safe mode might be enabled during the code review stage, which might get disabled in the actual system environment. Such flaws within the source code may result in potential attacks and compromising of the system.
Furthermore, while performing source code security audits, application code, key security areas, and functionality are reviewed and scrutinized line-by-line. On the other hand, in pen testing, an engineer literally ‘hacks’ into a target application to conduct a series of standard user tests to find information about the operating system, language base, security mechanisms such as input filtering and SSL, and linked apps such as media servers and databases.
Though code audits may provide granular recommendations as it helps in gaining more understanding of an app, combining it with pen testing ensures conducting full reconnaissance. With pentest, one could easily identify potential entry points that could be used to exploit system vulnerability and take appropriate actions to provide secure identity access to the root or administrative level.
In comparison to penetration testing, source code reviews are costlier and time-consuming, as often large codebases and multiple languages are being tested. With regards to source code reviews, an engineer may spend around one hour per 1000 lines of code. Although tools such as RATS, Application Defense and SPLINT may accelerate the review process, one may need to consider the expertise level of the engineer performing the analysis as well. An engineer with adequate experience in in-app security and having a hybrid background may expedite the process, as the above-mentioned tools only enable engineers to conduct certain functions such as traversing code trees, finding potentially risky functions or methods.
The process is different in the case of Penetration Testing Services. After completion of reconnaissance, an open-source Web server scanner such as Nikto is being run in order to find out if there had been any loopholes. Thereafter, app security scanners such as AppDetective or WebInspect are being deployed. These scanners look for different vulnerabilities in the system, which include authentication weaknesses, SQL manipulations, etc. In case of any issues, they are later required to be verified manually as well. Post verification, one would need to conduct fuzzing in order to unearth exploitable code and run some custom attacks to find out more vulnerabilities in the app. Usually, such a process takes about 40 to 200 hours, wherein each web page may take about two to four hours to be properly assessed.
With advancements in technology and newer hacking threats, it has become imperative to conduct thorough app security testing. The reason why one needs to go beyond the traditional source code reviews of static and dynamic testing and includes penetration testing as well.