Skip to main content

Is Web App Penetration Testing Worth the Price?

Is Web App Penetration Testing Worth the Price?

The Fundamentals of Web App Penetration Testing

A couple of blog posts ago we went through the fundamentals of Web Application Penetration Testing.

We suggested that a web application penetration test is an assessment of the security of the code and the use of software and libraries on which the application runs. Pen testers are security professionals that will search for vulnerabilities in web apps such as:

  • Injection vulnerabilities
  • Broken authentication
  • Broken authorization
  • Incorrect error handling

In this blog post, we will discuss the pricing and overall economics of conducting web app penetration tests. First, as a note, from a broad perspective, a penetration test is an authorized simulated cyber-attack on a computer system or application performed to assess the strengths and weaknesses of the systems or application from that of a criminal, hacker, insider threat, and so on. One thing to remember is that a penetration test is a point-in-time test that is or should be conducted periodically as systems, applications and environments change frequently and thus, so does the security of those assets.

Penetration tests are critical to providing IT security an understanding of the overall security posture of the organization and the individual assets within the organization. It tests the security controls the organization has adopted for the sole purpose of strengthening existing controls and adding new controls to eliminate weaknesses.

Web Apps are the Most Targeted Asset by Hackers

In our previous blog post, we touch on some of this information so why the review? Because web apps are by far the most targeted asset cybercriminals use to access systems, escalated attacks, gain privileges to high priority systems and ultimately steal the sensitive data of the organization, its customers, and employees. As a matter of fact, according to SANS institute, web applications account for more than 60% of targets in cyber-attack attempts. In our opinion, this percentage is likely far higher over the past year or year and a half. Literally, tens of thousands of websites are targeted and hacked every day.

Vulnerability assessments, security posture assessments, and penetration tests are geared to evaluate the security strategy of an organization and they are critical. However, for the most part, they are not intended to specifically test the security of a web application like a pen test specifically designed to find flaws in the code that attackers can take advantage of to gain access to a system.

Determining the frequency of doing a web app pen test depends on a variety of factors including:

  • Is the application business-critical?
  • How often does the application’s code change?
  • What are other related systemic risks to the app?

In addition, because software developers or devops are constantly publishing new code, the need for pen-testing could be fairly often. Organizations conduct web app pen tests on an as-needed basis, which can be as often as quarterly or just once a year. Typically, the frequency of pen testing is aligned with the minimum requirements for compliance such as in ISO, PCI DSS, FISMA, HIPAA, Sarbanes-Oxley, and others.

The Real Cost of a Web App Pen Test

First, we recommend using pen testers who can clearly communicate what they are testing and discuss actionable remediation. A security testing mill which you’ll find via Google pretty easily is going to cost less, but you’re not going to get the advantage of talking to an expert human who will support your IT security team’s goals to use the information to prevent future hacks.

Second, a penetration test can cost anywhere from a few thousand dollars for a small, non-complex organization to more than $100,000 for a large, complex one. Penetration testing for a very “simple” single server/database web application with less than 10 pages, no publicly exposed APIs and 1-2 user roles will cost you approximately $5,000 US or thereabouts. If you are quoted an amount less than this you should ask the pen test provider serious questions about the robustness, relevance, and worth of the pen test that they are quoting you for because it might not be a quality test.

We added our pricing below which we discussed in our previous blog post and which you can always discuss with one of our experts.

Second, be careful concerning how much time a web app pen tester requires from your team including choosing a vendor, negotiating a contract, scoping the test, and finding an appropriate start date. Think about it, this can often be up to two weeks of effort you spend internally just to get a vendor to start a test. Make sure that vendor is easy to work with, can guide you based on your needs, and is 100% prepared to get started with the project on-time.

Third, when the penetration test is completed you should receive a comprehensive report that needs to include all the remediation issues that are found. These issues should be discussed and evaluated between the pentester and your team in order to prioritize fixes. In many cases, there will be several days if not a week or two of remediation that needs to be handled by your team. Remediation is of course a job on top of the jobs your team conducts on a daily basis so the easier the pen tester can spell out the issues, the faster your team can handle remediation.

Finally, verifying your team’s remediation of the vulnerabilities is generally not included in a web app pen test. Thus, you typically rely on other tools such as a Dynamic Application Security Test (DAST) scanner. However, scanners won’t learn your business logic and it won’t find that vulnerable plug-in that gives Admin access to your application.

Tests may even run a Buffer overflow or SQLi attack which will ultimately damage your web app. In addition, it will not deliver zero false positives, so there is a possibility it will increase pen test remediation activities.

Conclusion

Human Interaction is Key to a Successful Project
Pen testing as a service is becoming increasingly popular, however, the drawbacks to not having a real, live expert to discuss issues with are critical to eliminating vulnerabilities both now and in the future.

Access to Security Experts
Please make sure that human is a certified ethical hacker and an experienced expert in web app penetration testing. Further, make certain they come from an organization with a quality reputation and the ability to help you with other security needs.

Transparent Pricing is Critical
Find partners that can provide pricing in a clear, understandable manner. Lots of security services are custom and difficult to estimate, however, web app pen tests should be fairly straightforward when it comes to pricing.

Making Remediation a Priority
Detected vulnerabilities and risk-based remediation need to be available immediately after the test is complete and the report is delivered. The partnership between the pen tester, IT security, and devops should be a priority and should start as soon as possible

Comments

Popular posts from this blog

Difference Between a Penetration Test and Vulnerability Assessment - Part 2

  The Difference Between a Penetration Test and Vulnerability Assessment - Part 2 What is the Difference Between a Penetration Test and Vulnerability Assessment? Part 2 of 2 Comparing Penetration Tests and Vulnerability Assessments In part 1 of this post, we focused on the Vulnerability Scans, Vulnerability Assessments, and  Vulnerability Management  in order to differentiate the 3 prior to digging into Penetration Tests. Now, let’s introduce and define Penetration Tests, explain the test itself and goals, then go through the different types of Penetration Tests. What is a Penetration Test? A  Penetration test , or pen test, is the process an ethical hacker conducts on a target and the IT environment to uncover vulnerabilities by exploiting them. The goal is to gain unauthorized access through exploitation which can be used to emulate the intent of a malicious hacker. Penetration test reports may also assess potential impacts on the organization and suggest countermeasures to reduce ri

Top 10 In-Demand programming languages to learn in 2022.

This blog will focus on some of the most in-demand programming languages which will be dominant this year, 2022. For almost every subject's like Web Development, Artificial Intelligence, Machine Learning, Data Science, or any other, the most important prerequisite is the ability to program in programming languages. Before choosing a programming language, beginners should carefully consider many factors, including popularity, demand, career opportunities, and applications. JavaScript JavaScript is one the most well-known programming languages, with strong demand and a strong following. JavaScript is used by many well-known IT companies such as Uber, Google, Microsoft, Uber, and Microsoft. Although the language is best known for its ability to add responsive elements to web pages, there are many other uses. The language can be used for both front-end as well as back-end development. Developers find it attractive because of its interoperability with well-known frameworks like Vu

What is Vishing? Tips for Spotting and Avoiding Vishing.

"When your phone rings, it’s sometimes hard to know who’ll be on the other end. It might be someone vishing. " Vishing, a combination of ‘voice’ and ‘phishing,’ is a phone scam designed to get you to share personal information. Here's what to know about vishing attacks and how to help protect yourself. What is Vishing? During a vishing phone call, a scammer uses social engineering to get you to share personal information and financial details, such as account numbers and passwords. The scammer might say your account has been compromised, claim to represent your bank or law enforcement, or offer to help you install software. Warning: It's probably malware. Vishing is just one form of phishing, which is any type of message — such as an email, text, phone call or direct-chat message — that appears to be from a trusted source, but isn’t. The goal is to steal someone's identity or money. It’s getting easier to contact more people, too. Scammers can place