SBN

How Do Pentesters Document and Remediate Vulnerabilities in iOS?

Mobile platforms have exploded in popularity over the past decade, and iOS is arguably the main driver for this massive growth in the mobile technology segment. iOS is the software that runs Apple’s widely-adopted mobile hardware products, such as iPhones and iPads, and is one of the most-used operating systems on the planet.

Attackers are always looking for new methods of bypassing Apple’s security features, which means that pentesters are, too. Unfortunately, hackers have one advantage: they don’t need to keep records. Hackers are able to attack any system without having to take any notes about how they manage to do what they do, which lets them concentrate on the act of hacking instead of completing reports.

Documentation standards are very high when pentesters are tasked with discovering vulnerabilities in general, and Apple products are no exception. Attention to detail and knowledge of the underlying systems of Apple products is essential when trying to document and remediate iOS vulnerabilities. This becomes even more complicated when third-party developers inadvertently weaken iOS’s built-in security when creating apps for Apple.

How Do Companies Use Their History of Penetration Testing Documentation?

This sounds like an obvious question at first, but, logically speaking, it’s a really interesting point that needs to be understood. These documents are referenced by developers and updated versions of each document are generated with each version release of the product as it gets tested. Below are some examples of how these documents are used within the company that is developing the application.

When an Application Release Is First Tested Before Deployment

All of the notes that were recorded in the original and subsequent pentest documents help to create a permanent record of how the application performed during previous release cycles.

After a Security Event

If an identifiable breach occurs within the (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Graeme Messina. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/IYjqdIvOcFo/