Monday 6 October 2008
 

Deperimeterisation - Increased demand for authenticated penetration testing

During the last eighteen months there has been a significant increase in the requirement for malicious user and authenticated security testing.

A key reason for the growth in this type of testing is the increasing number of applications located on the Internet to allow access from internal staff, business partners, suppliers and clients. Many large organisations are incorporating this strategy as part of an overall externalisation or 'deperimeterisation' program. However this raises new problems with regards security such as:

* How do you know that the application is secure?

* Could a supplier read confidential documents that are meant for internal staff?

* Could an authenticated user (or an attacker that has obtained user credentials) subvert the application?

* If a user logs out of the application, could an attacker use their computer to logon to the application? (eg in a public area such as an Internet Cafe).

ProCheckUp has been conducting penetration testing specifically to locate these types of vulnerabilities for a number of years under the guise of 'Malicious User' testing and 'Authenticated Session' testing. It has been a standard requirement for the financial sector and is becoming increasingly common for organisations in other vertical sectors to test their systems from this perspective.

Malicious User testing involves accessing a system using credentials, typically a username and password, to assess whether a user can subvert the application or gain access to information which should be outside of their permission levels.

As sites may have differing types of user with varying access privileges it is worth testing a cross section of users to ensure the highest level of security.

Authenticated Session testing assesses whether or not a user can traverse between user accounts or as an example, logon to a system once the legitimate user believes they have exited an application.

ProCheckUp has developed its artificial intelligence engine to facilitate Malicious User and Authenticated Session testing in conjunction with its security consultants and is frequently finding vulnerabilities that haven't been located during conventional manual tests.

For more information on ProCheckUp's Penetration Testing services click here

 
  Site Map
Privacy Policy
Terms and Conditions
© ProCheckUp Ltd 2008