SaaS Penetration Testing

CREST Accredited, Application Security Testing Experts for SaaS platforms

Overview

Introduction

Software-as-a-Service (SaaS) has revolutionised modern business. Backend systems that once lived on a server in the corner of the office, gradually getting slower and less maintained over the years are a thing of the past for a lot of organisations. Many companies now trust third-party SaaS applications with critical business functions such as accounting, payroll, ERP and many more.

Increased reliance on third-parties has also, rightly, led many organisations to question the security of the data being held in those platforms and assurances are sought from the SaaS vendor that adequate protection is in place.

This is where 4ARMED can help, by conducting penetration testing of the SaaS application either on behalf of the SaaS vendor or the Saas vendor’s customer.

What is a SaaS Penetration Test?

An exploitative test of the SaaS platforms’s security defences. Sometimes referred to as “ethical hacking”, the goal of penetration testing is to assess the resilience of the target application to technical attacks and provide tailored recommendations on areas that could be improved. By using the same techniques as criminal hackers our consultants look for ways to gain unauthorised access to data stored in the SaaS system.

We align our application security testing methodology to the OWASP Application Security Verification Standard. There’s two main reasons for this: 1) it’s good and 2) it gives additional, independent clarity over what will be delivered. This is especially useful if you’re having a penetration test done to satisfy a third-party, which is very often the case when we’re penetration testing SaaS applications.

Security Testing Levels

Level 1 - Opportunistic

The target is reviewed for easy to discover, easy to exploit weaknesses, such as those found in the OWASP Top Ten, that would be targeted by opportunistic attackers that lack the resources, skills, motivation or time to pursue more difficult vulnerabilities.

Level 2 - Standard

The target is reviewed to see if it will withstand most security risks associated with today’s software. This level of testing is typically required for most enterprise systems, compliance standards and other platforms that handle sensitive information such as personal or financial data.

Level 3 - Advanced

This level is typically reserved for those systems that require the highest level of assurance, where a compromise could result in critical impact. At this level the types of threat are expected to be determined and potentially well-funded. Security testing alone is not sufficient to provide verification and we would look to review the system’s architecture, code, management processes and other supporting factors in order to provide deep insight into the system’s risk.

If what you need is something more targeted or bespoke, this is no problem. For example, you may have recently rolled out a new login function and would like assurance over just this element. All our engagements are built around your requirements so let us know what you need.

Benefits

Assurance

Security Testing helps you gain assurance over your risk. Everything should be coded and configured correctly and securely but testing provides assurance that no mistakes have been made.

Compliance

Penetration Testing is required by a number of compliance standards such as PCI DSS. Our security testing services can help you achieve or maintain compliance.

Cost Effective

Sensible rates, a pragmatic approach and recommendations that make a difference all add up to a cost effective overall solution. Take advantage of a Managed Security Testing contract and see even better return on your investment.

Continual Improvement

Each report contains a root cause analysis and, if you take a Managed Security Testing contract we can help you implement a continuous improvement cycle focused on your specific problem areas.

What To Expect

Scoping

A typical engagement process flow can be seen here. The most important part when considering a penetration test is getting the scope right.

In some cases this is relatively simple as it may be you require a test of a single system or application whose boundaries are clearly defined. In other cases the scope will be more complex. A good example of this is when conducting a penetration test to meet PCI DSS requirement 11.3 which will need us to verify the scope for testing actually covers all in-scope systems.

For simple requirements we can typically scope a test accurately via a phone call or email, more complex tests will require a scoping form to be completed. A link to this can be found in the Resources section below.

Delivery

Communication is key to the delivery of a good security testing engagement. You will be assigned a project lead who will handle all of the logistics of testing with you and give you one point of contact should you need to discuss anything. We will keep you updated throughout testing as required and a free-of-charge wash-up call between our consultants and relevant parties from your organisation can be scheduled once you have reviewed the detailed report provided. This gives you the opportunity to discuss the findings and recommendations in more detail and evaluate further your best course of action.

Application Security Testing with Source Code

Earlier we highlighted the different testing levels we typically work to – Opportunistic, Standard and Advanced – but, when it comes to application security testing there is always the option to provide us with access to the source code during the test.

Often referred to as white box testing this enables our consultants to achieve far wider and deeper coverage of an application in the same amount of time. This is because suspected issues can be verified more quickly and searched for in other parts of the code. The majority of tests we conduct these days are performed in this manner.

Source code is stored in accordance with our ISO27001 information security requirements and is securely deleted once the engagement has completed.

1

Pre-Test

  • Confirmation of scope
  • Escalation process agreed
  • Test Authorisation
  • Communication requirements agreed
2

Testing

  • Enumeration
  • Vulnerability Identification
  • Exploitation
  • Post-Exploitation
  • Regular Testing Updates As Agreed
3

Reporting

  • Report Completed By Lead Tester
  • Issues Rated By Impact & Exploitability
  • Root Cause Analysis
  • Internal QA Prior To Issue
4

Review

  • Optional Wash-up Call
  • Post-Test Support For Recommendations
  • Arrange Re-testing If Required

Client Stories

During the testing the communication was flawless and 4ARMED told us as they were testing of any gaps in security encountered so that we could work on fixes in parallel and deploy and retest them before the whole testing was completed. The final report was very comprehensive both from a business and technical point of view. The recommendations in the report were clear and concise and contained explicit steps on how to fix vulnerabilities effectively.

Ana

Systems Engineer at FinTech in Payments, Risk and Compliance

App, Mobile and Infrastructure Penetration Test

Online Financial Services Company

App, Mobile and Infrastructure Penetration Test

Agricultural Levy Organisation

Resources

Security Testing Scoping Form

Next Steps

Want to discuss your requirements further? Wondering whether SaaS Penetration Testing is right for your business? There's an easy way to find out, give us a call or complete this handy contact form to tell us where you're at and we will work with you to find the best solution for you.
+44 (0)203 475 2443 sales@4armed.com
4ARMED Limited
3 Warren Yard, Warren Park, Stratford Road, MILTON KEYNES MK12 5NW, England