An Application Security Test (AST) measures your website or application’s exposure to IT threats. Also called an application penetration test or online security test, its goal is to identify the actions that reduce the risk of compromise and data loss.
Our IT security experts also try to get around your security systems and exploit potential vulnerabilities in real-life conditions to test your platform as efficiently as possible. Whether internal or external or for all or part of your applications, this security test is based on simulating malicious acts that a third party may do.
Why do an application penetration test?
When a website goes online, companies often underestimate the size of the exposed surface and the extent of the vulnerabilities that may be there. Furthermore, it is not always easy to monitor the security incidents of all the technologies used on a site. An application penetration test highlights your platforms’ sensitive points so you can implement best practices and corrective actions that will improve their security.
Regularly, our clients tell us: “go on, try to get into our e-commerce site, we take our IS’s security seriously, and you won’t be able to get our client database”. However, what most of them forget (and especially in large organisations) is that one poorly secured application puts all of your applications and systems in danger. As protected as they may be, they can be compromised if there is a penetration in an application that is on the same infrastructure or if they are connected in one way or another.
Frequently, our experts reach their objective through an abandoned microsite for an event (for example, a competition landing page), a CV submission platform that HR manages itself, but which is hosted on the same infrastructure as the company’s main site. In this case, it is very easy for our IT security experts to detect a flaw in these rarely maintained “secondary” applications and exploit it with ricochet and rebound effects to reach the holy grail: your client database and/or banking details or your manufacturing secrets.
NBS System’s expertise in IT Security
21 years of experience
+ 250 clients in IT security
Creator of CerberHost
Creator of Naxsi
How does an IT penetration test break down?
- Setting up the assignment
The Application Security Test assignment starts with a “kick-off” meeting, in other words, the meeting to approve the scope of the audit. During this meeting, we will clearly define which application is to be audited, which environments or data you hope our consultants do not reach as well as the way to reach it and, in particular, the black, grey and/or white box protocol.
IT tests can be done in a black, grey or white box manner depending on the level of information on your application that you want to give our testers. In a black box, they only know your business’s name and URL of the application to test. In a grey box, you provide them with a user account or ID so they can access your “private” space that is only open to your member and not to all Internet users. This way, our experts can test your platform in greater depth. In a white box, you also provide access to the application’s source code.
- Discovering the scope
Before getting to the heart of the matter, our consultants will take the time to get to know your application as any internet user would. They will visit your site, your blog section, your hiring pages, and create customer accounts as your users can.
- Taking information
Depending on the protocol you chose (black, grey, and/or white box) our IT security experts may ask you for additional information to save time during the next phase: the software version used, the type of system configuration set up, the password policy in effect, etc.
- Searching for vulnerabilities & building attack scenarios
This is when our experts enter the most important phase of the analysis: they examine every nook and cranny of your system to detect vulnerabilities, whether by attacking the site (front office) directly or by trying to reach or create backdoors to your back offices, web servers, SQL databases, flow protocols, or authentication systems.
How do they operate? They think outside the box, so nothing gets through, they get around all defence mechanisms, and they are always the most precise and specific as they can be.
Their goal? Get your database, compromise your system, control your access rights; in short, get a hold of whatever is your company’s real added value!
In reality, our experts turn into “white hats” for the duration of the test: good hackers that don’t profit from what they find, but who are nevertheless just as effective as people really are malicious.
- Drafting and delivering the report
Our IT security experts’ assignment is to note every system manipulation, compromise action, and attack attempt so that we can give you a list of all actions that we took on your applications in a transparent, factual way. This list can be given to you without editing in the assignment report and/or summarised according to your needs. Of course, beyond noting and analysing our experts’ actions, the report will also include all the recommendations your company needs to take corrective actions and secure your applications by reducing their exposure to risk.
We can also give a verbal report to shed more light on the results or present the ins and outs of the Application Security Test to a board of directors.
When should you do an Application Security Test?
A penetration test can be done at any time in your website or application’s lifecycle to assess its level of security.
However, we recommend that you conduct an application penetration test before it goes into production. By correcting flaws before it is released, you put a secure platform onto the web that doesn’t give hackers the chance to compromise your system!
Who should conduct an Online Security Test?
NBS System has created a security unit with 10 experts split into two main assignments:
- One of the teams spends its time on Research & Development projects. This investment allows them to share their expertise with the company and the open source community since it allows them to create security tools such as the NAXSI application firewall, PHP Malware Finder or the Snuffleupagus PHP shield. It also allows them to stay at the forefront of the latest security discoveries, both offensive and defensive.
- The other team is available to perform audits and penetration tests and help you secure your information systems and web platforms.
Temporarily and randomly, each of our experts also takes on the role of SecOps. By serving our in-house teams and our clients and supporting them in various operational security missions, they stay familiar with the market reality and can understand your issues and needs.
Where are application penetration tests conducted?
By definition, the goal of application security tests is to test an application, be it for the web, mobile, or something else. Given this, ASTs tend to be conducted remotely from our facilities since our physical presence in your offices has no added value.
Deontology & ethics at NBS System
No data will be saved, and all information gathered will be given back to you in its entirety. If our experts identify vulnerabilities on your platform, they will never be exploited outside these tests and will never be shared with third parties. The report we will give you is also completely confidential: only the NBS System security team and report recipients will have access to it.
Do you have a cybersecurity project?