Current Filter: Security>>>>>Feature>

   

So warns Adam Brown, UK manager, Quotium, who points out that the pen test an organisation gets is only as good as the pen tester that executes it. "Results can be variable and consumers of pen testing services must be wary of this. More important than this is that the security of the target system is known only for the moment at which the test is completed. The instant there is a change to the release, build or configuration, be it a patch, software release or even hardware change, the security posture of the target system is no longer known, so a repeatable process is required."

POSITIVES AND NEGATIVES
Networks and infrastructure testing are well covered, using automatic tools that can search for open ports, build fingerprints, system versions and so on. "Web application security vulnerabilities are far harder to detect. Application security scanners do exist. However, as they take a black box approach [where nothing is known about the internal processes of the target application], they are blighted with inaccuracy. There are whole categories of vulnerabilities that scanners cannot discover, resulting in false negatives. Also, scanners can frequently identify application behaviour as indication of vulnerability where no vulnerability exists, resulting in false positives. The results must always be manually edited, hampering efforts to automate the whole process," Brown states.

To do a thorough web application security test, first the attack surface has to be analysed. This has to be achieved through following 'user journeys'. "For example, an insurance web application will have a quote and buy process where certain prerequisites must be satisfied to move from page to page, such as registration numbers, valid address, valid date of birth etc. To this end, the QA team can be very useful. However, their ability typically stops there, as they are not hacking experts. That said, as the application changes their knowledge becomes even more valuable, as they can highlight any new or changed facets in the presentation layer"

A meticulous way forward is to have an experienced and motivated expert try to breach the application, he suggests. "Typically, scanning tools would comprise the first sweep, then manual effort to both prove and disprove findings, as well as experience and knowledge of the application to attempt exploits. At the end of the process, a high quality report can be expected, stating any findings."

ABOVE AND BEYOND
The scope for problems is wide, of course. Our networks are made up of various components, including routers, switches, servers, workstations and server and desktop software, all of which can be flawed and become the source of an intrusion. "Considering that a network is constantly evolving, being updated with new hardware and software, pen testing needs to go beyond the annual checks generally required for compliance purposes," says Nicholas Sciberras, Acunetix product manager.

"We must also bear in mind that new bugs are constantly being revealed, meaning that, until we put fixes or patches in place, our network is made vulnerable to attacks. Just last year, we had three major security vulnerabilities which affected most networks. These were HeartBleed, POODLE and Shellshock, and such high-profile and dangerous bugs simply can't wait for the annual pen test to be identified and fixed. Every admin should also be a security expert and ensure that their network does not leave any backdoors open for hackers."

It's vital that this work is ongoing, he adds. "All the changes which are implemented on a daily basis need to undergo a security review. If, for example, there is a new website, even if it's a portal which is only used internally, the site should undergo a web security scan to ensure that the site is not at risk of vulnerabilities such as SQL Injection or Cross Site Scripting, which can easily be exploited by a hacker.

Page   1  2  3