Where would we be without our apps? From paying bills on our mobile banking platform to booking flights to streaming radio stations, apps are a part of life. And they’re here to stay. Although young people (“Generation Z”) are the biggest consumers of apps, all age groups and demographics use mobile applications to some extent. The number of app downloads has been steadily increasing since 2015. In 2020 the combined app downloads from both the Apple App Store and the Google Play Store exceeded 35 billion.
Firstly, here’s a reminder of what penetration (PEN) testing is. A penetration test is an ethical cybersecurity evaluation that identifies and helps eliminate vulnerabilities and misconfigurations across an organisation’s external and internal IT environment. The tester looks for vulnerabilities, misconfigurations and development flaws by attempting to penetrate the system, hence the name. There are multiple types of PEN-testing: network, wireless, web application, mobile application, API, and build and configuration review. This article is concerned with web and mobile application testing.
Application security, or “appsec” for short, is what an organisation does to prevent cyber attackers from exploiting bugs in any software it uses. The security measures required will vary, depending on whether the application is third-party or custom developed. Custom apps should be subject to more stringent application security testing, or AST. A 2017 report by application security vendor CA Veracode found that over half of enterprises surveyed sometimes do appsec testing, but it is not sufficiently consistent.[1] According to the report, “83 % of organisations have released code before testing or resolving security issues.” The report analysed data from 40,000 tests of 250 billion lines of code in 2016 and 2017, and more than three-quarters of the custom applications scanned contained at least one vulnerability. With AST, the number of applications that passed the vulnerability scan increased by 13%.
Penetration testing for custom apps works in the same way as network PEN-testing. Experienced cybersecurity experts, such as NEWORDER, mimic hackers, attempt to penetrate the application’s defences. The benefits to your enterprise are many. Any data breach disrupts business processes and ranges from an inconvenience to a disaster. It consumes resources, costs money, and diverts attention away from productive activities. But a data breach carries risks that go beyond the immediate aggravation. Your reputation is at stake, and you may be in danger of breaching regulatory standards.
South Africa’s Protection of Personal Information Act (POPIA) came into effect on 1 July. No doubt you sent a communication to your customers about your use of their personal data. In recent years, many other countries have implemented similar privacy laws; Europe’s GDPR is the best known, but Singapore, Indonesia, and other countries have introduced similar regulations. The global emphasis on data protection makes compliance with regulations a priority activity for organisations that handle data. Non-compliance could result in penalties, a loss of your licence to operate or, in the worst-case scenario, prosecution.
PEN-testing as a service will help you find and address vulnerabilities, development & configuration flaws, comply with regulations, and assess the related risks to safeguard your company processes. Think of PEN-testing as one of the things you do to protect your valuable assets, just as you insure your vehicles and your property.
If you’ve never carried out PEN-testing on your custom apps, whether web-based or mobile, you may be wondering what’s involved. Web application testing is a test of websites and custom web applications delivered over the internet. It aims to identify issues resulting from weaknesses in design, coding and development practices. Mobile application testing reviews all apps across mobile operating systems, including Android, iOS and Windows, to identify authentication, authorisation, data leakage, and session handling issues.
When we work with you to plan your PEN-test, we will request certain information to scope the assessment. As part of the scoping process, we will set up a meeting to discuss the scope and requirements.
NEWORDER is one of Africa’s leading information security and corporate threat protection services. We provide custom business application PEN-testing services (including application program interface or API). We give you strategic and tactical insight into your cybersecurity status.
