Application Penetration with Business Logic Tests

Standard app pen testing is mature, yet is missing several key ingredients to make it core to your continuous deployment methodology. It is imperative to expose privacy and security issues before launching software—or with sites and applications already launched. This includes business, consumer and internal apps—all are at risk if the issues are not found and addressed early.

App pen testing must be fast, automatic, use existing test scripts and get to every possible page within an application to uncover every possible exploit.

The proprietary technology used by Appvance UTP is the first to expose more of these issues while re-using existing functional and performance test scripts. Advantages of Appvance UTP include:
appvanceutp-logo+

  • Fits your continuous deployment process and finds app security issues quickly with Dev or QA
  • Does not require security expertise to run automatically at each and every build
  • Business case-driven app pen finds far more issues than traditional automated app pen
 

DevOps-ready and aligned with Shift Left initiatives

Application penetration (“app-pen”) tests have been around for nearly 20 years. This is a mature field, yet one in which much of your application goes untested. The majority of organizations run an app-pen test once a year, or every six months against certain applications.

In an era of DevOps and Agile, where a build-a-day is a reasonable goal, app-pen needs to happen at each and every build, closer to the dev team or early in each QA cycle—automatically as part of your CI workflow—as any build may compromise security.


Workflow-DevOps+logo-490-260
 
Applications have many “hidden” pages

Applications have many “hidden” pages


Appvance UTP can test all pages, hidden or not

Appvance UTP can test all pages, hidden or not

Surfaces more security risks than
standard white-hat tests

Standard app-pen testing starts with a top-level domain or IP address, and spiders from there to find accessible pages. Then it runs the OWASP top 10 list of vulnerabilities against those found pages.

While that is fundamentally easy to outsource or run, it will miss the majority of pages and issues in a modern application.

Today, hackers often gain credentials and access to applications that can allow them to navigate to otherwise untested and insecure pages. This could expose key employee and customer data as well as intellectual property.

Appvance UTP uniquely goes deeper than any other test automation software to uncover problems where hackers can find them—but other white hat tests cannot.


 

Use the same scripts you use today

With Appvance UTP, use cases or scripts written for functional tests or performance tests (or any tests) can—for the first time—be used to drive business logic through an application. No consultants are required. No security expertise is required. Just use the same scripts you use today (Appvance UTP supports 24 script types) or simply record use cases…no coding needed.


MultipleScriptsShownInTestcaseForm

In this simple Selenium example, app-pen auto-runs at 2 steps

In this simple Selenium example, app-pen auto-runs at 2 steps


Resulting reports contain low and high warnings

Resulting reports contain low and high warnings

Deep app pen testing

Appvance UTP uses recorded or scripted use cases to log in and navigate applications to the deepest levels. If a QA person, developer or business analysts can get there, so can Appvance. For example, a functional test script which has 50 steps can be tagged to run app-pen at step 1 (the top level domain as normal), step 3 (after login), step 17 (after purchase), and step 25 (in the bowels of finance).

At each tagged step, Appvance runs a full spider, identifies all pages it can find, then passes off credentials and session info to run a complete OWASP suite of tests against each page. Automatically after completion, the use case restarts and continues on longer (this time, to step 3 in the example above) and runs a full spider, identifies all pages it can find, then passes off credentials and session info to run a complete OWASP suite of tests against each page. This continues until all tagged steps have been completed. This all happens behind the scenes until all reports are complete.

Data-drive any test without coding

These scripts can be data-driven, also without coding, to allow Appvance UTP to locate and test up to 100% of pages in any web application, uncovering significantly more issues than standard app-pen testing can uncover—and all without writing anything new.


DataProductionLibraryList