Note from the Editor: This blog is the 6th installment of an 8-part blog series entitled, “The Complete Web Application Penetration Test Guide.” To read the series from the beginning, please go to the blog, What is a Web Application Penetration Test?
Over the years, clients have asked us when it’s the right time to penetration test a new web application. We like this question, because it recognizes the fact that a new application needs a penetration test. You never want to roll out a new application to production without testing it. If a new web application gets compromised it not only puts the application is at risk, but also all the systems in your environment. So now that we have established the need for a test, determining when you should test a new application is a bit more tricky. In this blog, we will explore when is the appropriate time to penetration test a new web application.
Do Not Test a New Web Application Too Early
It is important that you do not test a new application until it is fully functional and in its final form. This means that all core functionality and the intended feature set for release is in place and has been verified. The reason you don’t want to test too early is two-fold:
First, if anything within the application changes, or new functionality is added, that new code has not been tested. And therefore might be vulnerable.
Second, as part of a web application penetration test, if something doesn’t load properly or throws an error, that is an indicator to the test team that there may be something we need to look into from a security perspective. A lot of times, one of the earliest signs of a vulnerability is simply being able to produce an error.
It is extremely difficult to determine the cause of an error if we test before the web application is fully functional. It could be something we did during testing or broken functionality. Forcing a third-party to assess an application too early can end up being just a best-effort test and not a a true measurement of the risk associated with this new application.
Do Not Test an New Web Application Too Late
Conversely, you do not want to wait and test a new application after it is live. Before the application is live, there are obviously fewer concerns around availability data integrity. This allows the test team to really hammer away on the website, without concerns of bringing it down. Of course we perform many tests on production applications and are proficient at giving a good test without any interruptions. With that said, it is always better if we don’t need to have availability concerns as it speeds up our assessment and allows us to fully explore the risk of discovered vulnerabilities.
Second, and perhaps the obvious reason, is that the second that site is live it is exposed to everyone on the Internet, including malicious hackers. It is dangerous to assume that it won’t be targeted within the first 24 hours of being placed into production. As mentioned in the intro above, if an attacker finds a vulnerability that gives him remote code execution of the underlying server, that not only puts the new application at risk, but your entire organization.
The Right Time to Test a New Web Application
In summary, the right time to test a new application is usually in the final stages of QA. You want the application to be fully functional and as close to production-ready as possible. For most applications, it takes approximately a week to execute a test and another week to turn around the report. So it’s a good idea to plan for 2 weeks of security/penetration testing into your project timeline.
Contact us today to talk about conducting a penetration test for any of your new web applications.
About the Author:
Matt Miller is Director of Penetration Testing at SIG. He currently has his PCI QSA, CISSP, OSCP, C|EH, GSEC, GCIH, and CISA certifications. You can find Matt on Twitter @InfoSecMatthew.