1
00:00:01,200 --> 00:00:02,880
‫Types of security testing.

2
00:00:03,900 --> 00:00:08,810
‫So, of course, there would be several types of testing methodologies for Web applications.

3
00:00:09,800 --> 00:00:12,750
‫And it's sometimes difficult to differentiate between them.

4
00:00:12,770 --> 00:00:13,790
‫I'll be honest with you.

5
00:00:14,990 --> 00:00:21,980
‫So in the field, sometimes the names are well used interchangeably, and I think that kind of adds

6
00:00:21,980 --> 00:00:23,010
‫to the confusion.

7
00:00:23,660 --> 00:00:30,850
‫So this sets incorrect expectations of every single one of these tests.

8
00:00:30,860 --> 00:00:31,240
‫Right.

9
00:00:32,160 --> 00:00:40,170
‫So you got to remember that each methodology has a different scope and goals, each with their own strengths

10
00:00:40,170 --> 00:00:40,880
‫and weaknesses.

11
00:00:41,760 --> 00:00:47,070
‫Also, what about the requirements behind the security testing, those can vary as well.

12
00:00:48,360 --> 00:00:54,870
‫I mean, the requirements may be mandated by corporate policies as well as compliance requirements for

13
00:00:55,020 --> 00:01:03,210
‫PCI or compliance with regulatory standards such as the Sarbanes-Oxley or so to make it clear.

14
00:01:04,340 --> 00:01:10,240
‫Each method is very different from one another, even though they may have similarities.

15
00:01:11,260 --> 00:01:16,210
‫Some of them can be completely automated, but others have to be done manually.

16
00:01:17,050 --> 00:01:20,170
‫So in other words, the way we do these tests differ.

17
00:01:21,060 --> 00:01:26,100
‫Now, we're going to briefly describe some of these methods and we'll continue with our penetration

18
00:01:26,100 --> 00:01:27,420
‫testing, I assure you.

19
00:01:28,530 --> 00:01:29,850
‫Source code review.

20
00:01:30,700 --> 00:01:32,470
‫So it's always good to have a look at the code.

21
00:01:33,480 --> 00:01:39,460
‫Because every vulnerability is there except operational and deployment problems, of course.

22
00:01:40,260 --> 00:01:47,820
‫So when source code is reviewed, the code itself is checked manually for any vulnerabilities such as

23
00:01:47,820 --> 00:01:51,000
‫bad input validations, logic bombs or others.

24
00:01:51,990 --> 00:01:59,250
‫It's not always easy with security source code analysis, the way I see it, if companies don't include

25
00:01:59,250 --> 00:02:07,380
‫SDLC in their development process, a source code analysis is, well, getting really difficult to do.

26
00:02:07,540 --> 00:02:14,230
‫And mostly companies prefer penetration testing as the technique of choice for technical testing.

27
00:02:14,280 --> 00:02:17,040
‫Do they get where they've invested it, you know?

28
00:02:18,120 --> 00:02:23,340
‫So a source code analysis is very efficient with a proper SDLC.

29
00:02:24,740 --> 00:02:26,150
‫Vulnerability assessment.

30
00:02:27,500 --> 00:02:33,260
‫Our vulnerability assessment is focused on finding security weaknesses or vulnerabilities within the

31
00:02:33,260 --> 00:02:35,450
‫Web application without exploiting.

32
00:02:36,830 --> 00:02:40,190
‫It can be completely or partially automated.

33
00:02:41,610 --> 00:02:46,200
‫And several vulnerability scanners can be used to identify the vulnerabilities.

34
00:02:47,170 --> 00:02:54,040
‫Also, a very great feature to keep in mind is if the scanner can prioritize the vulnerabilities that

35
00:02:54,040 --> 00:03:03,910
‫it finds, Web application audits, security audit is well, it's really much broader than a vulnerability

36
00:03:03,910 --> 00:03:04,480
‫assessment.

37
00:03:05,670 --> 00:03:12,090
‫The scope of a Web application audit may contain other associated components, such as change management,

38
00:03:12,090 --> 00:03:15,000
‫databases, application servers, firewalls and so on.

39
00:03:15,890 --> 00:03:23,950
‫An audit team should collect data from all components of the system and then make a vulnerability assessment

40
00:03:23,950 --> 00:03:29,110
‫according to the policy and procedures of the company's documentation.

41
00:03:29,560 --> 00:03:37,090
‫It's also possible to interview the staff as well as other personal aspects of the business.

42
00:03:37,930 --> 00:03:43,540
‫So the primary objective of an audit is to measure and report on conformance.

43
00:03:44,600 --> 00:03:50,210
‫They like that word, I think it's a I like to think of it as a combination of compliance and performance

44
00:03:51,080 --> 00:03:52,520
‫penetration testing.

45
00:03:52,960 --> 00:03:59,390
‫OK, so sometimes people think of defense is the best offense.

46
00:04:00,290 --> 00:04:05,750
‫Well, with penetration testing, it's actually more offense than defense.

47
00:04:06,350 --> 00:04:09,650
‫It's more offensive than other techniques, in fact.

48
00:04:10,550 --> 00:04:17,300
‫So then the purpose of the test you're here is to find the vulnerabilities and compromise them to prove

49
00:04:17,330 --> 00:04:19,010
‫the security risk of the system.

50
00:04:20,030 --> 00:04:26,600
‫So you first need to identify the scope of the test, then you can attempt to compromise the vulnerabilities

51
00:04:26,600 --> 00:04:33,350
‫found in the application you might have come across that penetration testing is sometimes called ethical

52
00:04:33,350 --> 00:04:33,800
‫hacking.

53
00:04:34,550 --> 00:04:42,020
‫However, it's actually a subset of ethical hacking, but it definitely differs from the concept of

54
00:04:42,020 --> 00:04:42,920
‫ethical hacking.

55
00:04:43,910 --> 00:04:50,000
‫Because it's a more streamlined way of identifying vulnerabilities in the systems and finding out if

56
00:04:50,000 --> 00:04:53,710
‫the vulnerability is actually exploitable or not.

57
00:04:55,020 --> 00:05:00,930
‫So in this course, we're going to dive into Web application penetration testing.

58
00:05:02,010 --> 00:05:09,750
‫So penetration testing, as we've been describing, is a way to simulate the methods of attackers in

59
00:05:09,750 --> 00:05:15,500
‫order to circumvent an organization's security controls and then gain access to their system.

60
00:05:16,200 --> 00:05:20,970
‫Sometimes you'll hear about vulnerability scanners as well as some other automated tools.

61
00:05:22,270 --> 00:05:28,960
‫Now, I don't want to underestimate their strengths, but this is not an exact penetration test.

62
00:05:30,130 --> 00:05:32,510
‫You got to get in there and get your hands dirty.

63
00:05:33,250 --> 00:05:34,450
‫You'll see what I mean soon.

64
00:05:35,490 --> 00:05:37,470
‫Post remediation testing.

65
00:05:38,880 --> 00:05:45,540
‫So after conducting a penetration test, the tester or you should produce a report, right?

66
00:05:46,390 --> 00:05:53,470
‫And this report may include a whole range of things about each particular vulnerability.

67
00:05:54,590 --> 00:06:01,220
‫But the most important one is the advice or a way to explain how they're going to fix the vulnerability.

68
00:06:02,530 --> 00:06:09,610
‫A pen test report without remediation is almost absolutely worthless to the customer.

69
00:06:10,860 --> 00:06:18,570
‫So for a proper penetration testing report, the test here should verify if the vulnerabilities found

70
00:06:18,570 --> 00:06:26,040
‫during the penetration test have been or are they able to be completely remediated.

71
00:06:26,730 --> 00:06:32,130
‫Now, this, of course, is a separate testing, so it should be clearly defined in your contract.

72
00:06:33,090 --> 00:06:36,150
‫Otherwise, it's not wise to test it.

73
00:06:37,620 --> 00:06:43,680
‫OK, so we're almost done with this kind of administration stuff, but I do want to share with you three

74
00:06:43,680 --> 00:06:44,790
‫more terms.

75
00:06:45,940 --> 00:06:50,980
‫Now, of course, you may hear them while working in the field, and you do want to be able to know

76
00:06:50,980 --> 00:06:53,000
‫exactly where they come from and what they mean.

77
00:06:53,830 --> 00:06:57,700
‫So this is another approach to security testing.

78
00:06:58,590 --> 00:07:01,410
‫The first term is white box testing.

79
00:07:02,600 --> 00:07:10,190
‫And what this means is that you can reach almost every resource that is going to be within the boundaries

80
00:07:10,190 --> 00:07:17,030
‫of the test, you work closely with your organization to identify potential security threats and the

81
00:07:17,030 --> 00:07:20,450
‫IT team helps you out while interacting with the system.

82
00:07:20,870 --> 00:07:25,850
‫That way, you can analyze the source code and talk with the internal teams of the client.

83
00:07:26,600 --> 00:07:30,470
‫You can check the configurations, network diagrams and more if you need to.

84
00:07:31,820 --> 00:07:38,240
‫And you will have access to insider knowledge and you can launch attacks without fear of being blocked.

85
00:07:39,470 --> 00:07:42,290
‫Now, the second term is gray box testing.

86
00:07:43,580 --> 00:07:49,160
‫And what this means is that you will have partial info about the assets which are going to be tested.

87
00:07:50,070 --> 00:07:54,270
‫You may have some basic or broader information about the system if you need.

88
00:07:55,440 --> 00:07:58,530
‫So the last one is box testing.

89
00:07:59,750 --> 00:08:05,090
‫So on this type of test, you have almost no prior information about the assets that will be tested.

90
00:08:05,960 --> 00:08:12,680
‫So unlike white box testing, this time in a black box, you are not provided any knowledge about the

91
00:08:12,680 --> 00:08:13,160
‫system.

92
00:08:14,270 --> 00:08:20,720
‫So with this type of testing, organizations might be able to evaluate their internal security team's

93
00:08:20,720 --> 00:08:27,320
‫ability, as well as identify their detection and response operations.

94
00:08:28,590 --> 00:08:34,170
‫Box testing is designed to simulate the actions of an attacker, right, just like any other ethical

95
00:08:34,170 --> 00:08:35,950
‫hack or penetration test.

96
00:08:36,820 --> 00:08:41,670
‫However, this also relies on far too much reconnaissance.

97
00:08:42,480 --> 00:08:45,930
‫So this type of test can be costly and time consuming.

98
00:08:46,790 --> 00:08:54,740
‫They require way more skills than gray box tests, and I have mostly been in this type of scenario that

99
00:08:54,740 --> 00:09:01,550
‫is often preferred by clients because you're actually simulating an absolute real world attack.

100
00:09:02,580 --> 00:09:09,330
‫So therefore, as a protester, you will typically attempt to find vulnerabilities in a particular target.

101
00:09:10,700 --> 00:09:15,650
‫And one more thing, in a real life pen test, you don't classify the test.

102
00:09:16,890 --> 00:09:21,330
‫You and your client just defined the scope and then you start to test.

103
00:09:22,460 --> 00:09:27,310
‫So what I mean by that is that test doesn't need to be just one sided, right?

104
00:09:27,650 --> 00:09:33,890
‫Your test may be close to black, it might be close to white somewhere in the middle.

105
00:09:34,130 --> 00:09:38,270
‫Again, this is for you to define with your client.

106
00:09:39,110 --> 00:09:42,680
‫In the end, it doesn't really matter just as long as you know what you're doing.