Ensures application security through network penetration tests

 

Q: A colleague from an enterprise recently told me about their application testing process and how comprehensive the test was, they also conduct network penetration tests on application systems to ensure comprehensive security. I think it sounds like a waste of time and resources. Do you agree with me? Is network penetration testing good for Application System Security? If so, what are the benefits?

A: It doesn't make much sense to have a strong, fully tested application in a vulnerable network, because the network itself has an unknown vulnerability in the configuration or process. Although hackers are currently directly attacking Web applications, they will not hesitate to take full advantage of the optional path to break into the Organization and steal information assets.

When talking about these two types of penetration tests, your statement is correct, and application system penetration testing is more important. As I said just now, this is because the application system is the focus of current attacks, and the network should have been protected by network boundary defenses such as firewalls, intrusion monitoring systems, and anti-virus gateways. It is with such a boundary defense measure that hackers are forced to transfer the attack target to the application system.

However, it is important to test whether network security devices run as expected and actually protect the network. When systems are integrated or deployed, interaction between multiple devices, services, and functions may lead to unexpected weaknesses. This can only be found by taking the system as a whole for penetration testing.

The process of proactively analyzing potential system vulnerabilities can begin with poor or incorrect system configurations, followed by known or unknown hardware or software defects, and operational weaknesses in processes and technical countermeasures. The network penetration test can explore how powerful the control is, such as password selection, server, firewall and IDS configuration, trust relationships between systems, and Remote Access Point overflow resistance, there are also the ability of network defense measures to successfully detect and respond to attacks.

Compliance with the requirements in section pci dss 11.3 (pci dss, Payment Card Industry Data Security Standard) requires at least one external and internal penetration test each year, including the network layer and application layer, it also includes any major infrastructure or application upgrades or modifications. Industry standards, such as ISO 27001, are also defined as one of the important security tests that organizations should conduct on a regular basis. In addition, the results of the network penetration test provide evidence for increased investments in security personnel and technology. Now, this has become a very worthwhile task.

From TechTarget China