Application Security Testing Approaches Part 1

00:04

in this lesson, we're gonna explain the differences between testing visibility amongst approaches. We also want to talk about

00:10

certain differences among security approaches. Such an active versus passive

00:15

application security tests and then we want to identify the appropriate test approach for a given business case

00:25

before we get into the colour graduation of testing approaches, I want to make one distinction. So there are active application security tests and their passive application security testing approaches. Passive approaches are things such as scanning

00:41

vulnerability scans should be run frequently. There are all kinds of different types of scans, whether their network scans or application scans

00:49

or potentially their age you of agent based vulnerability testing or scanning.

00:56

Now the benefit of this is that

00:59

for known vulnerabilities, this scan will find them. He'll tell you the numbers, I can tell you how old the vulnerabilities are, depending on what you're using to do your scanning.

01:10

But

01:10

the key difference there is known

01:14

if a vulnerability has never been discovered before and doesn't have a specific signature attached to it. The vulnerability scan will not find that vulnerability. So the number of vulnerabilities turned up by the skin represents the number of known vulnerabilities, not all vulnerabilities and the application.

01:33

But

01:34

although

01:36

vulnerability scanning is a passive form of application security testing, it is still very powerful

01:42

skin. It won't really scanning and subsequent patching is incredibly useful and powerful way to keep the attack surface small and your application secure.

01:53

Let's contrast this with active

01:56

application security testing. An active application security test is often referred to as a penetration test or security assessment.

02:06

And active tests are when you actually have a company who are hired to actually attempt to

02:13

penetrate your system and identify vulnerabilities.

02:16

These tests come in three different flavors. There's white box testing, gray box testing and black box testing.

02:23

The gradation refers to the amount of information the tester has about the environment before beginning the approach.

02:31

In a white box test, they may have access to documentation. Network diagrams may actually be given a point of entry into the network before beginning their test.

02:43

In a gray box test, they may just be given high level information about how the application is designed. So they know the underlying architecture before their tests. In a black box test, the tester truly has no knowledge of the system, how it's configured and they are starting

02:58

Uh from Square one

03:00

in terms of which of these tests is most authentic. What an adversary see a black box test really reflects the level of knowledge that are true adversary who is trying to um compromise your network, that's the amount of knowledge that they would have. So the result of a black box test um In many ways represent

03:20

uh

03:21

the kind of process that a real attacker would go through.

03:25

Alright, quiz. Question. What's the following example of gray box testing?

03:30

one, an application tester looks through the code for potential application vulnerabilities

03:35

two based on documentation to test to perform security tests on an application in a sandbox or three security test of reforms and application test penetration tests without prior knowledge of the application

03:49

in this context, Number two is really the best example of gray box testing based on documentation that testers performing security tests on the education in a sandbox. So the tester, it has some knowledge of the system. They are doing their test within a sandbox environment. This can be done for a number of different reasons. Doing active

04:08

application security tests

04:10

does not come without risk. There can be risk to the availability of the application, disruption of functionality, potential damage of the code. That's why it's always very important to establish the quote rules of engagement when having an active penetration test of an application.

04:27

And do anyone who's an application

04:30

penetration tester. You always want to establish clear permissions, permission to conduct the tests when it will be done, the duration of the tests, the appropriate methods and any timing constraints related to when the test should be done.

04:46

So in summary, we talked about