Updated: Sep 29, 2022
By Troy Hagerty and Steve Cullen
Disclaimer: The following article is intended to be an unbiased and objective view of a security technology provider. This is an unpaid blog article and the views here are the views of ARORA Solutions and not the views of the technology provider. ARORA Solutions is technology agnostic, working to support clients with tools that work for them and within their business context.
Our security landscape is rapidly evolving. It may seem like a daunting task for any organization to understand and properly assess the security of their applications and infrastructure. We looked at a ton of available options out there for our clients, and we got a bit overwhelmed ourselves. But, with the help from our good friends at Astra, we hope to shed some light on one of these available options.
The ARORA team sat down with Ujwal Ratra from Astra Security to get the rundown on what a penetration test ("pentest" or "pen test") means for any organization, from a start-up to a Fortune 500 company.
Pentesting is always a struggle with most organizations because many custom-built applications integrate with all sorts of widgets, tools, infrastructure and custom code. They require an ability to coordinate closing the gaps among all applications, each of them needing some form of manual communication across teams and partners.
Additionally, business context is uber important. When speaking with the Astra team, they gave the example of high potential for leakage of personally identifiable information (PII). For example, applications developed for HR professionals which handle PII may require additional controls within development architecture. Standard code scans do not actually uncover business logic specific vulnerabilities. That’s why the context of the app needs to be considered when engaging a pentest firm.
Astra believes they have been able to streamline pen testing for applications & cloud infrastructures with their self served vulnerability scanner & vulnerability management dashboard. As a Software-as-a-Service (SaaS) platform, Astra proactively finds loopholes, reviews network security, and manual tests your web applications, mobile apps, and cloud infrastructure on demand.
"Security no more is a good to have for organizations. It is now a critical function and a must have even to sell your products. Pentests are critical components of an overall security posture. Traditionally, pentesting has been a point in time exercise, the results of which were delivered on huge PDF/Excel reports that took a good amount of time to decipher and act on. That is something we are changing. We believe that, since your development is continuous, so should your security. Thus, Astra’s pentest comes with a continuous vulnerability scanner along with CI/CD integrations. This way your security keeps up with your development pace."
Astra's Approach To Pentesting and Automated Vulnerability Scanning
For client engagements, pricing averages $4,000 per custom application and goes down from there as additional tests are added. Included in the cost is automated vulnerability scans, infrastructure assessment (for any IaaS: AWS, Azure, GCP, etc.), manual penetration test, remediation recommendations, as well as full product support.
Total lead time from contact to initial scan completion can be as short as 9 days (2-3 days to start the engagement and 7-9 days to conduct the pentest), but this depends on the client’s inputs and response time.
Using its proprietary dashboard, Astra does both automated and manual scans covering both black & gray box testing. When a vulnerability is found, it is labeled with a simple explanation of the vulnerability, CVSS score, its potential impact, affected components, what steps can be done to reproduce the vulnerability, and suggested fixes to mitigate it. All that is required to get the process started is a URL and the test credentials so that areas behind the login screens can also be scanned. Astra takes care of the rest. An example of what a after-action report would look like can be found at this link: https://www.getastra.com/blog/wp-content/uploads/2021/06/Astra-Security-Sample-VAPT-Report.pdf
Another Benefit of Pentesting - Compliance
“Not only can a pen test give you a better idea of your applications and network infrastructure, but you can also shape it to meet whatever governance and compliance framework you’d like, including SOC2, GPDR, ISO 27001, PCI DSS, OWASP 2021, HIPAA, and many more."
Each vulnerability is labeled with the compliance they are associated with, so that any mitigation strategy applied to the vulnerability will automatically be designated as compliant within each applicable framework. This will take out a bit of the guesswork of establishing the context of each vulnerability.
Each pentest comes with a publicly verifiable test certificate to ensure compliance of your systems.
Is This a Silver Bullet?
While this does sound like a great all-in-one tool, Ujwal did stress the importance of both static and dynamic vulnerability scans for your organization. Static scans occur at the code-level of the application without it being deployed, while dynamic scans tend to focus on the deployed applications with APIs, user credentials, etc. Dynamic is more hacker style approach.
Since both scans are automated, they do have their shortcomings by not knowing the full context of how the application is actually used. Therefore, manual penetration tests are needed, which would occur after the first automated scan is performed, taking up to nine days to fully complete. After remediation is complete, the certificate will be issued and verifiable for six months.
Our recommendation to any organization doing custom application development:
Conduct automated vulnerability and penetration tests at least twice per year on all of your applications to stay ahead of vulnerabilities, malware, hackers, and nefarious actors.
Astra is a good example of a penetration test company offering flexibility, integration, and security at a reasonable price.
We look forward to learning about other innovative tech as time goes on, and we will report on them for you!
Want to know more? Connect with Astra Security on Twitter at @getastra or Ujwal directly at @ujwal_ratra. Astra Security - Comprehensive Suite Making Security Simple (getastra.com)