Application Security Testing Approaches Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:04
in this lesson, we're gonna explain the differences between testing visibility amongst approaches. We also want to talk about
00:10
certain differences among security approaches. Such an active versus passive
00:15
application security tests and then we want to identify the appropriate test approach for a given business case
00:25
before we get into the colour graduation of testing approaches, I want to make one distinction. So there are active application security tests and their passive application security testing approaches. Passive approaches are things such as scanning
00:41
vulnerability scans should be run frequently. There are all kinds of different types of scans, whether their network scans or application scans
00:49
or potentially their age you of agent based vulnerability testing or scanning.
00:56
Now the benefit of this is that
00:59
for known vulnerabilities, this scan will find them. He'll tell you the numbers, I can tell you how old the vulnerabilities are, depending on what you're using to do your scanning.
01:10
But
01:10
the key difference there is known
01:14
if a vulnerability has never been discovered before and doesn't have a specific signature attached to it. The vulnerability scan will not find that vulnerability. So the number of vulnerabilities turned up by the skin represents the number of known vulnerabilities, not all vulnerabilities and the application.
01:33
But
01:34
although
01:36
vulnerability scanning is a passive form of application security testing, it is still very powerful
01:42
skin. It won't really scanning and subsequent patching is incredibly useful and powerful way to keep the attack surface small and your application secure.
01:53
Let's contrast this with active
01:56
application security testing. An active application security test is often referred to as a penetration test or security assessment.
02:06
And active tests are when you actually have a company who are hired to actually attempt to
02:13
penetrate your system and identify vulnerabilities.
02:16
These tests come in three different flavors. There's white box testing, gray box testing and black box testing.
02:23
The gradation refers to the amount of information the tester has about the environment before beginning the approach.
02:31
In a white box test, they may have access to documentation. Network diagrams may actually be given a point of entry into the network before beginning their test.
02:43
In a gray box test, they may just be given high level information about how the application is designed. So they know the underlying architecture before their tests. In a black box test, the tester truly has no knowledge of the system, how it's configured and they are starting
02:58
Uh from Square one
03:00
in terms of which of these tests is most authentic. What an adversary see a black box test really reflects the level of knowledge that are true adversary who is trying to um compromise your network, that's the amount of knowledge that they would have. So the result of a black box test um In many ways represent
03:20
uh
03:21
the kind of process that a real attacker would go through.
03:25
Alright, quiz. Question. What's the following example of gray box testing?
03:30
one, an application tester looks through the code for potential application vulnerabilities
03:35
two based on documentation to test to perform security tests on an application in a sandbox or three security test of reforms and application test penetration tests without prior knowledge of the application
03:49
in this context, Number two is really the best example of gray box testing based on documentation that testers performing security tests on the education in a sandbox. So the tester, it has some knowledge of the system. They are doing their test within a sandbox environment. This can be done for a number of different reasons. Doing active
04:08
application security tests
04:10
does not come without risk. There can be risk to the availability of the application, disruption of functionality, potential damage of the code. That's why it's always very important to establish the quote rules of engagement when having an active penetration test of an application.
04:27
And do anyone who's an application
04:30
penetration tester. You always want to establish clear permissions, permission to conduct the tests when it will be done, the duration of the tests, the appropriate methods and any timing constraints related to when the test should be done.
04:46
So in summary, we talked about
04:47
active vs. Passive application security testing methods and then we talked about the difference between white box grey box and black box testing. All right, I'll see in the next lesson.
Up Next