ISU name. Enterprise Security and Risk Management. White Paper. The Cost of Pen Testing a Web Application

Transcription

1 ISU name Enterprise Security and Risk Management White Paper The Cost of Pen Testing a Web Application

2 About the Author Srimant Acharya Srimant Acharya heads the Center of Excellence (CoE) for Enterprise Vulnerability Management within the Enterprise Security and Risk Management (ESRM) business unit at Tata Consultancy Services (TCS). With 15 years' experience in the software industry, and six years in the security domain, Acharya describes himself as a developer by heart and security analyst by profession. He has been able to balance the two delicate aspects of security vulnerabilities while influencing the developer community to adopt security best practices in coding, and robust security controls in their design efforts.

3 Abstract With increasing cyber threats and breaches, every organization needs to be alert in order to safeguard their assets. To implement the most proactive approach, most organizations today are opting for 'Penetration Testing', more popularly known as pen testing. This gives you an accurate representation of your security position at any given time. While there is an increasing demand for this exploitative type of testing, there is a considerable amount of confusion in the industry regarding the differences between vulnerability assessment and pen testing. Hence, there exists an ambiguity around its pricing as well. In this paper, we present a structured approach to understand the dynamics related to pen testing that will help companies decide when and what kind of pen testing to opt for, and at what price.

4 Contents Refocusing on Pen Testing 4 Outlining the Estimation Framework 4 The Pen Test Methodology 8 Building the Pen Testing Team 9 Drafting the Pen Testing Cost Chart 9 Secure your Enterprise 10

5 Refocusing on Pen Testing Cyber criminals and hackers are employing a number of sophisticated tools and network attacks to penetrate enterprise systems. Since web applications can be the easiest target, it is essential to perform pen tests for it. This kind of testing is expected to go beyond the realms of traditional vulnerability assessment, and locate potential issues. While vulnerability assessment simply identifies and reports noted vulnerabilities, pen testing attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Although pen testing is now getting its due importance, its specific applications and additional benefits are yet to be realized. In this paper, we explore the ideal cost of a web application pen test by looking at the composition of a pen test with umpteen variations. Outlining the Estimation Framework Cost is one of the key deciding factors for any enterprise before it signs up for a security solution. Since there is no uniform package for pen testing, based on our observations of the industry, quotations vary from USD 1,000 USD 5,000 per application. This variance in cost is definitely alarming, and the reason is the absence of any structured approach for estimation. However, by putting a cost on an offering new dynamics are introduced which impact the commercial prospects of that offering. With this background, let us look at the composition of a pen test. Our estimation model is based on three factors: What is the Motive? An organization may face three types of motives: n Regulatory Compliance: The mere requirement of a certificate that a pen test was carried out, and the outcomes are not given much importance. n Vulnerability Management: Usually followed in mature organizations that has instituted this program and stuck to it. As part of this program, a pen test must be carried out and all reported vulnerabilities must be remediated within an agreeable timeline. n Proactive Assessment: This is usually initiated by proactive organizations that has gone beyond any vulnerability management program and have diligently identified a set of applications to go through the most advanced form of pen testing. What is the Application Complexity? Web applications can be classified based on three levels of complexity: n High: This would include applications with substantial amount of input controls, dishing out a large base of functional complexities, and dealing with complex authentication. The applications could also have a varied base of roles and privileges, store data pertaining to personally identifiable information (PII) and financial transactions, and allow users to upload images and documents, with a complex workflow structure. 5

6 n Medium: These applications would be similar to high complexity applications, except that they would not contain complex workflows, and not process financial transactions or sensitive data pertaining to PII. Most applications would fall in this category. n Low: This would include applications with a reasonable number of input controls (approximately five ten), not too many 'write' or 'modify' privileges, and with simple business functionalities. Usually, 10 20% applications would fall under this category. What Type of Pen Test Should Be Undertaken? Pen testing is a very rigorous activity, where the tester has to function like a hacker and attack systems to detect as many vulnerabilities as possible. As there are no standard specifications defined for this activity, despite high expectations it is almost impossible to comprehensively perform this activity, as this would be an open-ended assignment. We recommend the following three modes of pen testing: Advanced: This would involve chasing and exploiting all high impact vulnerabilities that could be there either on the surface or under the surface (stealth vulnerabilities). Usually, this mode would be subsequent to the 'regular' and 'customized' pen test mode, described later in this section. In this mode, certain activities are a must, though it is not limited to only these. It is vital to landscape vulnerabilities. First, companies should look for all known vulnerabilities, at least the ones that could seriously bring down the system. Then search for vulnerabilities that can be exploited with further intelligent inputs or guesses. They should also look for vulnerabilities that can transform under a certain condition either forced or concocted. It is equally important to correlate high-risk vulnerabilities from a combination of lower-risk vulnerabilities exploited in a particular sequence or combination. This helps make sense of two different findings of low severity to see if they can combine to create a fatal breach. This is probably the most expertise-based activity of this segment. Peer analysis of similar apps helps compare the findings of a particular app against a similar one from past assessments to see how they rank against each another. Companies should also analyze trends hinting towards a particular vulnerable segment of the app, for instance authentication or uploading of attachments. These findings should then be compared against current industry trends. Companies could run their findings by the customized National Vulnerability Database (NVD) repository for latest references to Common Vulnerabilities and Exposures (CVE). Customized: This mode is specific to certain industry-aligned policies and standards. It is carried out on top of regular pen testing and is customized to specific business needs (for example, special emphasis on authentication). In this mode, it is important to run customized policies such as Open Web Application Security Project (OWASP), SANS Top 25, and NIST-NVD. Usually these policies are used either through an automated scanner or on manual mode. Companies should identify all known vulnerabilities, at least the ones that could seriously bring down the system. It is important to focus on vulnerabilities specific to certain functional modules of the app rather than only focusing on types of vulnerabilities. Companies should map assessments against the most relevant business modules and provide a report of vulnerabilities affecting business modules. Finally, they should map assessments against the most recent threat landscape and provide a report of vulnerabilities against that landscape. 6

7 Regular: Usually, this form of testing does not target unknown vulnerabilities, but makes sure that all known ones are exploited to the hilt. It may or may not use commercial and Open Source tools. The minimum set of activities for this mode could include placing the application through an automated vulnerability assessment scanner. Preferably, an industry leading commercial scanner can do the job. However, a suite of Open Source tools are also used to supplement the findings. Manual analysis could also take place against a standardized test case, and there could be the filing of a vulnerability report. The overarching view gained from juxtaposing all dimensions together is represented in Figure 1. Complexity Motive Proactive Assessment Vulnerability Management Regulatory Compliance L M H L M H L M H M ** Not Applicable ** Numbers within boxes denote the duration of assessments across application complexity Costs Regular Customized Advanced Pen Testing Mode Figure 1: Consolidating Estimation Framework Elements The numbers within small squares are the tentative timeframe for a pen test in that category (counted against business days of eight hours). Of course, for 'regulatory compliance' related pen tests, one would not make any distinction and only serve what is required the regular pen test. Figure 1 easily illustrates that time (and thereby cost) is increasing in the north-eastwardly direction. In the advanced mode, duration is given as minimum days, as the pen test is completely based on vulnerabilities found and correlations established. For best results, two analysts should be involved in the advanced mode. In the customized mode, pen testing is often carried out with specific instructions, where customers would have prior recommendations on sensitive modules or would be expecting to test against a specific policy. The attack surface is thereby created after due consultations with the customer for a set of localized findings pertaining to a particular aspect of the application. 7

8 The Pen Test Methodology A pen test remains a manually intensive exercise, thriving mostly on findings accrued from previously carried out assessments. It is generally performed by experienced resources who have a grip on the domain and technology of the app in question. Figure 2 depicts the typical flow of a pen test. Factsheet Study Reconnaissance Threat Landscape Preparation Attack Surface Identification Reporting on Trends Exploit Final Chase Modified Attack Surface Automated and Manual Scan Figure 2: The Typical Flow of a Pen Test Let us take a look at each of these components in detail. In the first stage, the factsheet is created and then analyzed. It lays out strengths, limitations, and information pertaining to an asset or a group of assets, along with a slew of instructions to help analysts focus on a specific aspect of their assessment methodology. As the factsheet is prepared based on the CoEs experience, and not just previous tests, it is also referred to as a 'strategist's note'. Reconnaissance involves knowing as much as possible about the application from public sources. It includes studying how similar apps have fared in terms of vulnerabilities from the same database. With reconnaissance, the assessment team led by the strategist, draws up a threat landscape to attach appropriately identified soft zones of the app. The threat landscape is then further reduced to an attack surface where the actual assessment will be undertaken. These inputs are carried into the automated and manual vulnerability assessment scan to look for all the known yet critical vulnerabilities afflicting the system. The attack surface is then modified again, based on the automatic and manual mode findings. Then begins the final chase for suspected vulnerabilities and relevant cases are exploited to bring the issue to the forefront, wherever necessary. Finally, a report captures all the preceding points, findings, and trends to develop the final pen testing report. Pen tests are usually driven by a strategist (usually a senior analyst) who runs the tests with inputs from others. The test should not be measured in terms of vulnerabilities found. Instead, it should be about correlations drawn between innocuous looking vulnerabilities forming a complex chain, dropping high-risk vulnerability which nobody saw coming. Automated commercial tools so far do not possess the ability to make sense of vulnerabilities as a group or in complex combinations. However, tools are good indicators of problem areas within an application. 8

9 The strategist lays out possible concerns, strengths of the app, and leaves specific instructions to head in a particular direction. Building the Pen Testing Team Contrary to the conventional notion, pen testing is not an individual exercise. It is best performed by a team of two three people with varying degrees of experience per application, depending upon its complexity. The team should broadly comprise of: A Strategist: He is the most experienced hand of the pen test team who dictates the course of the assessment. The strategist also consults the back-end CoE and abuse cases best suited to a specific situation. An Analyst: This executive should be good with Open Source tools, malicious scripts, and breaching through validation controls. An Ethical Hacker: This is an optional function. The ethical hacker plays the ideal foil to the rest in the team in going after unimaginable leads. Drafting the Pen Testing Cost Chart A pen test is a very difficult assignment to complete. However, in most cases it is carried out with a deadline in mind. The advanced mode of pen testing is a continuously evolving exercise and thrives on run-time correlations made on emerging vulnerabilities that the team can come up with. Hence, I have proposed a minimum amount of time for the advanced mode. Based on industry experience, we have attempted to draw up an indicative cost chart for various modes of pen testing with diverse motives (see Figure 3). However, please note that the costs do not include commercial licensing fees, and in the event these are in use they will surely increase the overall cost depending upon the tool selected. INDICATIVE COST (IN DOLLARS) Low Med High Low Med High Low Med High Regular Customized Advanced PT COMPLEXITY/MODE Proactive Assessment Regulatory Complaince Vulnerability Management Figure 3: The Indicative Pen Testing Cost Chart 9

10 In Figure 3, the indicative cost lines are increasing based on the motive or intent of the pen test and the mode of assessment. Generic assumptions are made on resources required for these kinds of assessments, which generally varies between one two resources. However, for a larger program there would be program management overheads that also need to be factored in. This pen testing cost chart is meant to educate and increase awareness about factors that push up the price line. Secure your Enterprise A pen test should be best considered as an investment and not merely an expense head. When it is completed within a comprehensive vulnerability management program, it offers the promise of fortifying the application better as opposed to a traditional vulnerability assessment. While pen testing may seem a daunting exercise with the possibility of delays to deployment or disruption of data integrity, it does assure a better tomorrow for the organization. All sensitive applications (as per their respective organizational policies) should ideally undergo pen testing at least twice a year. Another important benefit accrued from pen testing is that it gives the organization real experience in dealing with an actual intrusion. The organization may indeed have all the important standards, best practices, and policies in place. However, until they actually have to deal with an attacker, they may not be certain as to how they should proceed. Pen testing brings in the state of preparedness for such unforeseen events. 10

11 About TCS' Enterprise Security and Risk Management Unit Leveraging our rich experience in enterprise security, TCS helps global enterprises across verticals manage risks, ensure regulatory compliance, proactively protect critical information assets against emerging threats, achieve resilience, and recover rapidly from security incidents. TCS has a successful track record of executing numerous engagements globally, delivering domain integrated security solutions fully aligned with clients' objectives. Our global service infrastructure, including the shared services Security Operations Center (SOC) and Forensics Labs, backed by the capabilities of our certified security consultants, make TCS a strategic partner of choice for nearly half of the Fortune 500 companies. Our Security Innovation labs foster research and innovation in the field of data privacy, and have yielded multiple patents and intellectual properties in data protection and cryptographic products. We leverage our alliances with all major security vendors, including IBM, CISCO, and Oracle, to deliver end-to-end services and solutions across the security landscape, from consulting to implementation and managed services. Contact For more information about TCS Enterprise Security and Risk Management (ESRM) services, visit: Global.esrm@tcs.com Subscribe to TCS White Papers TCS.com RSS: Feedburner: About Tata Consultancy Services (TCS) Tata Consultancy Services is an IT services, consulting and business solutions organization that delivers real results to global business, ensuring a level of certainty no other firm can match. TCS offers a consulting-led, integrated portfolio of IT and IT-enabled infrastructure, engineering and TM assurance services. This is delivered through its unique Global Network Delivery Model, recognized as the benchmark of excellence in software development. A part of the Tata Group, India s largest industrial conglomerate, TCS has a global footprint and is listed on the National Stock Exchange and Bombay Stock Exchange in India. For more information, visit us at IT Services Business Solutions Consulting All content / information present here is the exclusive property of Tata Consultancy Services Limited (TCS). The content / information contained here is correct at the time of publishing. No material from here may be copied, modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from TCS. Unauthorized use of the content / information appearing here may violate copyright, trademark and other applicable laws, and could result in criminal or civil penalties. Copyright 2016 Tata Consultancy Services Limited TCS Design Services I M I 05 I 16