Pentesting is a typical cybersecurity process. It is an activity by which an analyst, with the least information possible about a target, tries to find security vulnerabilities on it. The target is defined by a scope, which can be one or more web applications, mobile apps, IP ranges, or any other different list of assets.
An analyst or a team of analysts execute a pentest following similar steps that would be followed by a real attacker: gather information, map the attack surface, identify vulnerabilities, and exploit them.
Continue reading “The value of a pentest”
Pentesting in production has risks. I remember a story of a pentester who ran an automatic scanner to spider a site. After some minutes scanning and spidering, it found a path to a list of items that had a delete button next to each of them. The spidering process clicked all these buttons and deleted all the items in production.
Continue reading “Pentesting in production”
Any SaaS solution is a n-tier system, and as such, all the tiers should be protected, not only the application layer. If we put all our effort in the application and its code, we might miss important vulnerabilities in other parts of the attack surface.
Continue reading “Any SaaS solution is a n-tier system where all layers have to be protected, not only the application and its code”