1
00:00:01,180 --> 00:00:02,830
Types of security testing.

2
00:00:03,880 --> 00:00:08,760
So, of course, there would be several types of testing methodologies for Web applications.

3
00:00:09,770 --> 00:00:12,750
And it's sometimes difficult to differentiate between them.

4
00:00:12,770 --> 00:00:13,760
I'll be honest with you.

5
00:00:14,970 --> 00:00:21,960
So in the field, sometimes the names are well used interchangeably, and I think that kind of adds

6
00:00:21,960 --> 00:00:22,990
to the confusion.

7
00:00:23,640 --> 00:00:30,830
So this sets incorrect expectations of every single one of these tests.

8
00:00:30,840 --> 00:00:31,220
Right.

9
00:00:32,140 --> 00:00:40,120
So you got to remember that each methodology has a different scope and goals, each with their own strengths

10
00:00:40,120 --> 00:00:40,840
and weaknesses.

11
00:00:41,740 --> 00:00:47,050
Also, what about the requirements behind the security testing, those can vary as well.

12
00:00:48,320 --> 00:00:54,830
I mean, the requirements may be mandated by corporate policies as well as compliance requirements for

13
00:00:54,980 --> 00:01:03,200
PCI or compliance with regulatory standards such as the Sarbanes Oxley or so to make it clear.

14
00:01:04,350 --> 00:01:10,200
Each method is very different from one another, even though they may have similarities.

15
00:01:11,240 --> 00:01:16,160
Some of them can be completely automated, but others have to be done manually.

16
00:01:17,030 --> 00:01:20,150
So in other words, the way we do these tests differ.

17
00:01:21,040 --> 00:01:26,080
Now, we're going to briefly describe some of these methods and we'll continue with our penetration

18
00:01:26,080 --> 00:01:27,400
testing, I assure you.

19
00:01:28,510 --> 00:01:29,830
Source code review.

20
00:01:30,710 --> 00:01:32,450
So it's always good to have a look at the code.

21
00:01:33,460 --> 00:01:39,440
Because every vulnerability is there except operational and deployment problems, of course.

22
00:01:40,240 --> 00:01:47,800
So when source code is reviewed, the code itself is checked manually for any vulnerabilities such as

23
00:01:47,800 --> 00:01:50,980
bad input validations, logic bombs or others.

24
00:01:51,970 --> 00:01:59,200
It's not always easy with security source code analysis, the way I see it, if companies don't include

25
00:01:59,200 --> 00:02:07,360
SDLC in their development process, a source code analysis is, well, getting really difficult to do.

26
00:02:07,510 --> 00:02:14,210
And mostly companies prefer penetration testing as the technique of choice for technical testing.

27
00:02:14,260 --> 00:02:17,020
Do they get where they've invested it, you know?

28
00:02:18,100 --> 00:02:23,320
So a source code analysis is very efficient with a proper SDLC.

29
00:02:24,690 --> 00:02:26,130
Vulnerability assessment.

30
00:02:27,490 --> 00:02:33,100
Now, a vulnerability assessment is focused on finding security weaknesses or vulnerabilities within

31
00:02:33,100 --> 00:02:35,440
the Web application without exploiting.

32
00:02:36,780 --> 00:02:40,170
It can be completely or partially automated.

33
00:02:41,590 --> 00:02:46,180
And several vulnerability scanners can be used to identify the vulnerabilities.

34
00:02:47,150 --> 00:02:54,020
Also, a very great feature to keep in mind is if the scanner can prioritize the vulnerabilities that

35
00:02:54,020 --> 00:03:03,890
it finds, Web application audits, security audit is well, it's really much broader than a vulnerability

36
00:03:03,890 --> 00:03:04,460
assessment.

37
00:03:05,650 --> 00:03:12,070
The scope of a Web application audit may contain other associated components, such as change management,

38
00:03:12,070 --> 00:03:14,980
databases, application servers, firewalls and so on.

39
00:03:15,870 --> 00:03:23,920
An audit team should collect data from all components of the system and then make a vulnerability assessment

40
00:03:23,920 --> 00:03:29,110
according to the policy and procedures of the company's documentation.

41
00:03:29,530 --> 00:03:37,090
It's also possible to interview the staff as well as other personal aspects of the business.

42
00:03:37,900 --> 00:03:43,510
So the primary objective of an audit is to measure and report on conformance.

43
00:03:44,580 --> 00:03:50,190
They like that word, I think it's a I like to think of it as a combination of compliance and performance

44
00:03:51,060 --> 00:03:52,500
penetration testing.

45
00:03:52,930 --> 00:03:59,370
OK, so sometimes people think of defense is the best offense.

46
00:04:00,240 --> 00:04:05,730
Well, with penetration testing, it's actually more offense than defense.

47
00:04:06,300 --> 00:04:09,630
It's more offensive than other techniques, in fact.

48
00:04:10,530 --> 00:04:17,280
So then the purpose of the test you're here is to find the vulnerabilities and compromise them to prove

49
00:04:17,310 --> 00:04:18,990
the security risk of the system.

50
00:04:20,010 --> 00:04:26,550
So you first need to identify the scope of the test, then you can attempt to compromise the vulnerabilities

51
00:04:26,550 --> 00:04:33,300
found in the application you might have come across that penetration testing is sometimes called ethical

52
00:04:33,300 --> 00:04:33,780
hacking.

53
00:04:34,530 --> 00:04:42,000
However, it's actually a subset of ethical hacking, but it definitely differs from the concept of

54
00:04:42,000 --> 00:04:42,900
ethical hacking.

55
00:04:43,860 --> 00:04:49,980
Because it's a more streamlined way of identifying vulnerabilities in the systems and finding out if

56
00:04:49,980 --> 00:04:53,670
the vulnerability is actually exploitable or not.

57
00:04:54,990 --> 00:05:00,870
So in this course, we're going to dive into Web application penetration testing.

58
00:05:01,990 --> 00:05:09,730
So penetration testing, as we've been describing, is a way to simulate the methods of attackers in

59
00:05:09,730 --> 00:05:15,470
order to circumvent an organization's security controls and then gain access to their system.

60
00:05:16,180 --> 00:05:20,950
Sometimes you'll hear about vulnerability scanners as well as some other automated tools.

61
00:05:22,240 --> 00:05:28,930
Now, I don't want to underestimate their strengths, but this is not an exact penetration test.

62
00:05:30,140 --> 00:05:32,480
You got to get in there and get your hands dirty.

63
00:05:33,230 --> 00:05:34,400
You'll see what I mean soon.

64
00:05:35,470 --> 00:05:37,450
Post remediation testing.

65
00:05:38,860 --> 00:05:45,520
So after conducting a penetration test, the tester or you should produce a report, right?

66
00:05:46,350 --> 00:05:53,430
And this report may include a whole range of things about each particular vulnerability.

67
00:05:54,570 --> 00:06:01,200
But the most important one is the advice or a way to explain how they're going to fix the vulnerability.

68
00:06:02,470 --> 00:06:09,580
A pen test report without remediation is almost absolutely worthless to the customer.

69
00:06:10,850 --> 00:06:18,530
So for a proper penetration testing report, the testers should verify if the vulnerabilities found

70
00:06:18,530 --> 00:06:26,030
during the penetration test have been or are they able to be completely remediated.

71
00:06:26,720 --> 00:06:32,120
Now, this, of course, is a separate testing, so it should be clearly defined in your contract.

72
00:06:33,070 --> 00:06:36,130
Otherwise, it's not wise to test it.

73
00:06:37,600 --> 00:06:43,630
OK, so we're almost done with this kind of administration stuff, but I do want to share with you three

74
00:06:43,630 --> 00:06:44,770
more terms.

75
00:06:45,920 --> 00:06:50,930
Now, of course, you may hear them while working in the field, and you do want to be able to know

76
00:06:50,930 --> 00:06:52,970
exactly where they come from and what they mean.

77
00:06:53,810 --> 00:06:57,680
So this is another approach to security testing.

78
00:06:58,570 --> 00:07:01,390
The first term is white box testing.

79
00:07:02,580 --> 00:07:10,170
And what this means is that you can reach almost every resource that is going to be within the boundaries

80
00:07:10,170 --> 00:07:17,010
of the test, you work closely with your organization to identify potential security threats and the

81
00:07:17,010 --> 00:07:20,420
IT team helps you out while interacting with the system.

82
00:07:20,850 --> 00:07:25,830
That way, you can analyze the source code and talk with the internal teams of the client.

83
00:07:26,580 --> 00:07:30,450
You can check the configurations, network diagrams and more if you need to.

84
00:07:31,790 --> 00:07:38,210
And you will have access to insider knowledge and you can launch attacks without fear of being blocked.

85
00:07:39,440 --> 00:07:42,260
Now, the second term is Dreambox Box testing.

86
00:07:43,590 --> 00:07:49,140
And what this means is that you will have partial info about the assets which are going to be tested.

87
00:07:50,050 --> 00:07:54,250
You may have some basic or broader information about the system if you need.

88
00:07:55,410 --> 00:07:58,500
So the last one is box testing.

89
00:07:59,730 --> 00:08:05,070
So in this type of test, you have almost no prior information about the assets that will be tested.

90
00:08:05,950 --> 00:08:12,580
So I'm like white box testing, this time in a black box, you are not provided any knowledge about

91
00:08:12,580 --> 00:08:13,120
the system.

92
00:08:14,260 --> 00:08:20,710
So with this type of testing, organizations might be able to evaluate their internal security team's

93
00:08:20,710 --> 00:08:27,280
ability, as well as identify their detection and response operations.

94
00:08:28,570 --> 00:08:34,150
Box testing is designed to simulate the actions of an attacker, right, just like any other ethical

95
00:08:34,150 --> 00:08:35,930
hack or penetration test.

96
00:08:36,800 --> 00:08:41,650
However, this also relies on far too much reconnaissance.

97
00:08:42,460 --> 00:08:45,910
So this type of test can be costly and time consuming.

98
00:08:46,770 --> 00:08:54,720
They require way more skills than gray box tests, and I have mostly been in this type of scenario that

99
00:08:54,720 --> 00:09:01,530
is often preferred by clients because you're actually simulating an absolute real world attack.

100
00:09:02,560 --> 00:09:09,310
So therefore, as a protester, you will typically attempt to find vulnerabilities in a particular target.

101
00:09:10,660 --> 00:09:15,630
And one more thing, in a real life pen test, you don't classify the test.

102
00:09:16,840 --> 00:09:21,310
You and your client just defined the scope and then you start to test.

103
00:09:22,450 --> 00:09:27,270
So what I mean by that is that test doesn't need to be just one sided, right?

104
00:09:27,640 --> 00:09:33,850
Your test may be close to black, it might be close to white somewhere in the middle.

105
00:09:34,120 --> 00:09:38,260
Again, this is for you to define with your client.

106
00:09:39,070 --> 00:09:42,670
In the end, it doesn't really matter just as long as you know what you're doing.