CREST Accredited, Application Security Testing Experts for SaaS platforms
Software-as-a-Service (SaaS) has revolutionised modern business. Backend systems that once lived on a server in the corner of the office, gradually getting slower and less maintained over the years are a thing of the past for a lot of organisations. Many companies now trust third-party SaaS applications with critical business functions such as accounting, payroll, ERP and many more.
Increased reliance on third-parties has also, rightly, led many organisations to question the security of the data being held in those platforms and assurances are saught from the SaaS vendor that adequate protection is in place.
This is where 4ARMED can help, by conducting penetration testing of the SaaS application either on behalf of the SaaS vendor or the Saas vendor's customer.
An exploitative test of the SaaS platforms’s security defences. Sometimes referred to as “ethical hacking”, the goal of penetration testing is to assess the resilience of the target application to technical attacks and provide tailored recommendations on areas that could be improved. By using the same techniques as criminal hackers our consultants look for ways to gain unauthorised access to data stored in the SaaS system.
We align our application security testing methodology to the OWASP Application Security Verification Standard. There's two main reasons for this: 1) it's good and 2) it gives additional, independent clarity over what will be delivered. This is especially useful if you're having a penetration test done to satisfy a third-party, which is very often the case when we're penetration testing SaaS applications.
|Level 1 - Opportunistic||The target is reviewed for easy to discover, easy to exploit weaknesses, such as those found in the OWASP Top Ten, that would be targeted by opportunistic attackers that lack the resources, skills, motivation or time to pursue more difficult vulnerabilities.|
|Level 2 - Standard||The target is reviewed to see if it will withstand most security risks associated with today's software. This level of testing is typically required for most enterprise systems, compliance standards and other platforms that handle sensitive information such as personal or financial data.|
|Level 3 - Advanced||This level is typically reserved for those systems that require the highest level of assurance, where a compromise could result in critical impact. At this level the types of threat are expected to be determined and potentially well-funded. Security testing alone is not sufficient to provide verification and we would look to review the system's architecture, code, management processes and other supporting factors in order to provide deep insight into the system's risk.|
If what you need is something more targeted or bespoke, this is no problem. For example, you may have recently rolled out a new login function and would like assurance over just this element. All our engagements are built around your requirements so let us know what you need.
Security Testing helps you gain assurance over your risk. It helps build confidence that no mistakes have been made in coding or implementation.
Penetration Testing is required by a number of compliance standards such as PCI DSS. Our security testing services can help you achieve or maintain compliance.
Sensible rates, a pragmatic approach and recommendations that make a difference all add up to a cost effective overall solution. Take advantage of a Managed Security Testing contract and see even better return on your investment.
Each report contains a root cause analysis and, if you take a Managed Security Testing contract we can help you implement a continuous improvement cycle focused on your specific problem areas.
A typical engagement process flow can be seen here. The most important part when considering a SaaS penetration test is getting the scope right.
In some cases this is relatively simple as it may be you require a test of a single system or application whose boundaries are clearly defined. In other cases the scope will be more complex. A good example of this is when conducting a penetration test to meet PCI DSS requirement 11.3 which will need us to verify the scope for testing actually covers all in-scope systems.
For simple requirements we can typically scope a test accurately via a phone call or email, more complex tests will require a scoping form to be completed.
A longer description of the stages of a typical SaaS penetration testing engagement can be found in the resources section below.
Communication is key to the delivery of a good security testing engagement. You will be assigned a project lead who will handle all of the logistics of testing with you and give you one point of contact should you need to discuss anything. We will keep you updated throughout testing as required and a free-of-charge wash-up call between our consultants and relevant parties from your organisation can be scheduled once you have reviewed the detailed report provided. This gives you the opportunity to discuss the findings and recommendations in more detail and evaluate further your best course of action.
Earlier we highlighted the different testing levels we typically work to – Opportunistic, Standard and Advanced – but, when it comes to application security testing there is always the option to provide us with access to the source code during the test.
Often referred to as white box testing this enables our consultants to achieve far wider and deeper coverage of an application in the same amount of time. This is because suspected issues can be verified more quickly and searched for in other parts of the code. The majority of tests we conduct these days are performed in this manner.
Source code is stored in accordance with our ISO27001 information security requirements and is securely deleted once the engagement has completed.