Securing Your Web Application

Application testing accounts for half of the assessments Raxis performs each year. Our testing follows the OWASP Top 10 framework, but, like all of our assessments, this can be tailored to your specific needs. Every application test performed by Raxis is a true manual breach attempt. While we use tools to help us identify key areas, the majority of testing is performed manually. Our engineers test the business logic of the application with an attempt to escalate privilege, force data leaks, expose sensitive information, and in extreme cases make the leap from the application into other environments.

We approach these tests from different perspectives:

• Unauthenticated User: We hunt for flaws in the login process as well as authentication bypass techniques such as SQL injection, cross-site scripting, and session fixation. Anything from user enumeration and brute-force attacks to direct object references are considered in-scope.
• Admin Super User: Once logged in, Raxis maps out the application, looking for technical vulnerabilities as well as business logic gaps and flaws. Configuration issues, client-side processing, and session issues are just a few of the areas your engineer will test from within your application.
• Basic and Read-Only Users: When setting the scope, you choose how many roles Raxis will test. We recommend testing at least a power user and a lower level user. Raxis performs comprehensive application testing on forms, fields, and services throughout the application using all user roles. Testing as a user with limited permissions makes it possible for our engineers to attempt operations that should only be accessible to higher level users.

A Raxis web app test thoroughly examines your application for flaws from without and within.

Does my company need a web application penetration test?

Yes, these tests are important tools for your development team. As they create intuitive, essential web applications that improve processes for your employees and customers, security is likely a key part of their process. Your dev team has the responsibility for the entire app - from user experience to security. Your application must validate that all users have authenticated correctly and are authorized to use the proper areas of the application. But security doesn’t end there. The application code must follow proper security procedures to keep data safe. Your developers deal with a lot of moving pieces.

Our engineers jump in during the testing phase of your dev team's secure software development lifecycle (SDLC). Instead of looking at your application as a credible user would, they take a hacker's point of view, attempting to exploit business logic vulnerabilities as well as code and configuration issues. Raxis gives your development team useful, actionable feedback to give them to tools they need to secure your application.

Should web app testing be a part of our Software Development Lifecycle (SDLC)?

We highly recommend that it is.

• Static testing for new applications - Raxis can test your application in a QA environment before you go live so that you — and your customers — can rest assured that security features have been thoroughly tested and protections are in place to stop malicious actors from gaining access to your site and systems or even disrupting the environment.
• Ongoing testing for applications in continuous development - When your application changes rapidly with agile teams pushing updates to production often, Raxis recommends the Pen Test as a Service (PTaaS) for web applications. This service includes an annual traditional penetration test and then monthly manual testing to check for updates and differences. If changes are discovered, a Raxis pentester will manually look at newly discovered vulnerabilities and alert your team. In this way your security keeps up with your constantly developing application.
• Periodic testing for applications with scheduled updates - For applications that update rarely — meaning quarterly or even annually — companies sometimes prefer scheduling full pentests against the changes before the updates go live. Raxis provides this within the PTaaS environment or separately through traditional pentests.

Why does Raxis use the OWASP Top Ten as a guideline for my web app test?

The OWASP Top Ten is a widely recognized standard for current critical security risks to web applications. Your development team likely uses the list to inform their security decisions, and the controls are embedded in our web application testing processes as well. From broken access controls to insecure design and injection vulnerabilities, you can rest assured that our engineers are versed in them all.

If I’ve already had an external network test, is a web app test needed? Could the tests be performed together?

We recommend a web app test in addition to an external test, and, depending on your scope and budget, a combined test may be a good option.

External network tests focus on the full systems and your internet-facing network as a whole. While the pentester may focus on breaking into your application from the point of view of an unauthenticated user, the application itself will likely not be their main focus.

Likewise, a Raxis web app test thoroughly focuses on your application from the point of view of several roles within and outside of your application. While the engineer will examine the configuration of the application server during the test, emphasis is placed on the application. As our engineers examine and map out your application from each user's point of view, they test for business logic, configuration, and, of course, technical vulnerabilities, manually attempting to break your controls to gain unauthorized access. This vigorous focus on each piece of your application gives your development team the information they need to lock down your application and keep your users' data safe.