Wednesday, November 28, 2012

Pen-Testing as a Service (pTaaS)

Today the most popular term in software industry is probably 'SaaS --> Software as a Service ; which basically means 'Software on Demand'. In SaaS model software is hosted on some remote place and customer can access it using a web browser or so. The main benefits of SaaS models include-
  • customer needs not to worry about hardware and maintenance requirements of the software 
  • and in most of the cases customer has to pay only for what he is using i.e. in case of DynamoDB customer has to pay only for the amount of data he is storing or retrieving.
These  two benefits made SaaS a quite popular concept. 

In the term SaaS, 'service' word is being used as figuratively i.e. its like outsourcing your software's infrastructure and maintenance needs. When I said pTaaS i.e. Pen-Testing as a Service, I meant it literally rather than figuratively; i.e. by pTaaS I meant outsourcing your penetration testing work. 

The biggest hurdle in outsourcing some XYZ service is the amount of information that needs to be exchanged between the client and service provider; if the information exchange involves sharing something confidential then probably that service XYZ cannot be outsourced. As penetration testing in itself is a form of black box testing so it can be easily outsourced as pen-tester hardly needs any implementation or even design information. 

Although some forms of pen-testing can be better categorized as gray or white box testing but that's  not actual pen-testing; this is what I feel at least. Pen-Testing is basically thinking from an attacker's or hacker's point of view and then probing a piece of software for security vulnerabilities. Lesser information (off course about the targeted software) a pen-tester has in the beginning of the pen-testing, more effective and more practical pen-testing results are going to be !! When someone knows the internal details of a product YYY then for him it is comparatively easy to figure out the issues with that product YYY. But the real art lies in starting with zero information and then ultimately figuring out a way to compromise the whole product; this is what our pen-testing services are all about. 

If you allow us to do this service for you, then;
  •  we will be doing a complete analysis of your website by exploring all possible issues because of  which your website can be compromised;
  • and finally we will be sharing a detailed report of how those issues can be exploited along with the suggestions to fix those issues.

PS: In my last post I promised to discuss about UI Redressing attack and usage statistics for 'X-FRAME-OPTIONS'; please excuse me for changing the topic today; I will be writing on that topic very soon.

-Archana

2 comments:

  1. MAKDecember 2, 2012 at 9:27 PM

    Pentesting is usually manifested as a service. This is what most of the companies do for pentesting :
    Give the website/product along with design details to a information security consulting company, which has a pool of information security experts (probably skilled at using tools and analyzing ), who does the testing and report all flaws.

    btw, we should give all the design details (of course with some NDA) for pentesting, this is required to avoid: " security by obscurity".

    ReplyDelete
  2. AstiDecember 2, 2012 at 11:47 PM

    very relevant insights Mak. For more details on what HackVidhi brings as its unique service, please write to contactus@hackvidhi.com

    ReplyDelete

Subscribe to: Post Comments (Atom)