An application layer (layer 7) penetration test is designed to uncover software vulnerabilities, demonstrate the impact of said vulnerabilities, and provide recommendations to help mitigate the issues. Tanner’s Information Security team has two primary objectives during an application penetration test: obtain sensitive data and/or unauthorized access.
An application-layer penetration test is most commonly used to test the following types of applications:
- Custom or “in-house” web applications
- Custom web services/API’s (e.g. SOAP, REST)
- Custom software integrations in Commercial Off-The-Shelf (COTS) Software
Application Layer Penetration Test Methodology Overview
With an application-layer penetration test, Tanner’s Information Security team will help to identify both common and application specific vulnerabilities that exist in using custom developed software. While our penetration tests do utilize automated scanning tools, the majority of our structured testing methodology is performed using manual techniques. These tests are performed manually, because many application-layer vulnerabilities are logical and systematic flaws in the code, and automated tests will not discover all the deficiencies in the application.
Tanner’s application layer tests begin with a network/operating system review to verify the underlying systems are configured securely. After performing initial system-wide tests, Tanner’s penetration testing team will focus on the application layer (layer 7), which requires significant attention and accounts for the majority of the time allocated to these engagements.
Tanner’s team will first assume the role of an anonymous attacker who does not have valid credentials to the application, to verify if the application is accessible to rogue users. If user credentials are provided and authenticated testing is in the scope of the project, our team will authenticate to the application to determine if valid users can:
- Exploit vulnerabilities
- Gain access to the underlying infrastructure
- Access unauthorized information
- Vertical privilege escalation
For role-based applications and systems, testing is conducted across all permission levels and authorization policies. This will not only ensure coverage across the entire application, but will include in-depth testing of complicated authorization controls.
Penetration Test Deliverable
The deliverable for this engagement will consist of a report highlighting the gaps identified from the tests along with Tanner’s prioritized recommendations to help remediate the identified risks and improve the overall security of the application. Our suggestions will take into consideration the company’s size and the sensitivity of the data, to determine the importance and urgency of each recommendation.