Call for Help
Via email over a social networking site, we were contacted by a firm that was looking for a company to perform external attack and penetration testing. We responded by indicating that we did that type of work, and we would be happy to assist in any way. In a subsequent conference call, we learned that this firm had developed a web application that was going live within two weeks, and that they wanted to ensure that all security issues were addressed before going live.
In general, we would suggest performing a vulnerability analysis and secure code review against the source code and hosting environment, to identify both software and hardware vulnerabilities that may allow an external agent to compromise the application, access and inappropriately edit user profiles, and/or alter the application's functionality. We also would suggest an external penetration test to verify the vulnerabilities discovered and to identify process and business practices that may be susceptible to compromise.
In this case, however, the closeness of the announced launch date limited our options in assessing the application's security posture. The overall security assessment process would have to be completed in less than ideal time, which meant that we likely would have to limit time spent on researching the application and identifying vulnerabilities. Time for a true security code review was also insufficient. Further, extra caution would be needed for any penetration testing, to ensure that it would be nondestructive. In nine out of ten cases, pen tests are nondestructive; however, as the application was going live within two weeks, there really was no recourse for harming the code, breaking the system, or in any way altering the functionality of the application, so extra caution was warranted on that front as well.