What is it Testing?
Examines the authentication mechanisms, network interactions, encryption, decryption, storage methods, often including the source code employed by an application to determine its overall robustness. A security expert will carefully examine the functionality of the application according to its intended purpose to attempt to determine weak points where a malicious actor might take advantage of flaws in logic or implementation to steal data, gain unauthorized access, or otherwise abuse the application’s supporting network or users.
Why is it important?
Web applications are developed by individuals with deep knowledge of functionality, however this knowledge is often biased by presuppositions of intended functionality. While invaluable for troubleshooting and business, this knowledge often obfuscates security vulnerabilities.
Employing a red team professional gives an extremely unique perspective and a look into the mind of a real-world attacker who will likely attempt to abuse or exploit the functionality of an application in ways or to ends that a developer could not predict.
The tester will provide feedback on these weaknesses with a focus on specific and unique business impact. This insight is invaluable and often unavailable by any other means than suffering a real attack with real losses.
Framework/Methodology
-
OWASP Application Security Verification Standard (ASVS)
-
Manual Examination
Examples of attacks/findings
- No Multi-Factor Authentication
- Application Vulnerabilities
- Unpatched Systems
- Reverse Engineering
Comments
Article is closed for comments.