Web App Pentest Project Overview
2018-06-01 · Web App Pentesting Governance
Design overview for a web application penetration testing program. Assumes SDL (Software Development Lifecycle) and Change Management processes are in place.
Workflow
The program operates in layers:
- Developer responsibility — Secure coding practices (OWASP SWAMP) and pre-deployment scans before pushing to web servers
- Web App scan at deploy — Owners scan new/updated apps against OWASP Top 10 using automated tools
- Patch management — Web servers included in standard patch cycles (OS + app-layer vulns)
- Security audit — Monthly/annual audits based on Risk team's prioritized list; findings feed Risk Registry
- Risk team review — Determine if risk needs elevation to senior leadership (patient impact, brand risk)
Low Hanging Fruit (LHF) Web App Pentest
Requirement: Push-button scanning of a large set of web apps for OWASP Top 10 vulnerabilities.
Tools
- Netsparker
- Burp Suite Pro (AutoScan)
- Arachni
- Open source / Kali tools: Gobuster, Nikto, Nmap, OWASP ZAP, AMASS
- SSL/TLS: SSLLabs
Assumptions & Constraints
- Reports feed into Risk for risk assessments — manual submission doesn't scale with one FTE
- This is a governance audit, not an operational endeavor
- ONLY auditing Web Application Pentest Security; not OS-level services (handled by separate process)
- Goal: lower mean-time to detection/remediation of technical flaws in WebApps
- Will NOT scale to entire org public-facing Web Apps — one-size-fits-all LHF detection only
- Sacrifices in-depth comprehensive pentest in favor of automated low-hanging-fruit scans
- Some tested apps may become unstable during scanning
- Long-term: Dev teams need secure code practices and web app scans baked into their SDLC
References
- OWASP Top 10 (2017)
- OWASP SWAMP — Secure Coding
- Snyk — Open Source Security
- Troy Hunt — Automating Web Security Reviews
- Netsparker — Evaluating Web App Scanners