A Working Definition Found Through Pen Test Scoping Process
A single, unified, complete, and universally-accepted definition of the term ‘Web application’ does not currently exist. Rather than attempt to come up with such a definition, STN security analysts define the term within the context of penetration test scoping. This helps client organizations to reliably obtain quality service and deliverables related to application-level penetration tests.
To create a workable set of criteria that define what Web applications are and what they aren’t, STN uses relevant standards and guidelines such as National Institute of Standards and Technology (NIST), Open Web Application Security Project (OWASP), Good Automated Manufacturing Practices (GAMP), and Payment Card Industry Data Security Standard (PCI DSS). In collaboration with client objectives and project leaders, STN incorporates these standards into a unique discovery, design, and deployment process called 3D-PRO. The end result is a complete and accurate “Statement of Work” for Web application penetration testing projects. These processes permit both STN and its client organizations to avoid the major pitfalls that are prevalent in application penetration testing:
- An unduly pessimistic Statement of Work is presented; trivial testing is performed, and deliverables with minimal value are the result.
- An unduly optimistic Statement of Work is presented; sub-standard testing is performed, and deliverables with overestimated value are the result.
- An unduly optimistic Statement of Work is presented; full testing is performed with high-quality deliverables, but the expense of the penetration testing overburdens the testing company and the client organization.
- To counter this, the outcomes of the STN 3D-PRO scoping process provide client organizations with clear maps of the Web application attack surfaces that are to be tested. In this way, project leaders can be sure that the testing process will fully meet their security goals for the project without straying outside workflow and budget capacities.
- This eliminates scope creep, further mitigates risks associated with active penetration testing, and allows client organizations to more proactively map their strategies for regulatory compliance, risk management, or information security best practice implementation.