Understanding what type of test is right for your website

A few simple questions will lead you down the road to the right testing

  1. Where is your website hosted – Do you host it yourself? Is it hosted by a Third-Party?
  2. Who is responsible for the security of the Host System – the Operating System?
  3. Do you have a Web Application Firewall such as Cloud Flare in front of your website?
  4. Is you website a static page with content?
  5. Do you have a login and if so, what type of data is behind the login? Customer, pricing, private or personal?
  6. Do you have any API interactions with other applications?

Which is right for you?

Manual Versus Automated Testing

Automated Testing

A fully automated scan is used for both host operating systems and web applications. The host operating system test will scan for all currently known vulnerabilities affecting that operation system. It will report back on the CVE, the risk and usually suggested remediation tips. The same is true for the web application scanning. The fully automated web application scanner will scan your website at a minimum for the OWASP top 10 vulnerabilities and report back on risks and remediations. https://owasp.org/www-project-top-ten/.

Manual Testing

Manual testing means that you have an actual person who is using various methods to determine the security of a host or the application and, if the rules of the engagement permit, they will attempt to exploit a vulnerability and gain access, modify content or download information. There are varying degrees of manual testing, the simplest is one tester and one day and the more extensive 2 testers and 5 days of testing.

The type of test that is required for your website really depends on two main factors

When you start down the road of testing your website, you want to consider the host operating system and the application.

1. Have the host and application ever been tested before?

If you have a very static page of content that is hosted by a third party, chances are a good OWASP 10 scan of you site will be sufficient to let you know if you have any glaring misconfigurations that could lead to a website defacement or potential attack on your site.

2. What is the criticality of the data being processed or stored on this site?

If your website has a login and you allow users to sign up for accounts and host dynamic content, you would want to make sure you consider a manual test at least for the first test. Once a thorough baseline has been established for the site, testing can become more routine and automated.

Planning your testing

We recommend you develop a plan for testing and make sure to include the above considerations. There might be special notifications you have to give in writing to a third party before you test an application, you might have to have a testing IP whitelisted in a web application firewall, you may need special accounts set up in the application for testing.

If you are unsure what type of test is right for your website, reach out to us and we will be glad to discuss options with you.