| |||||||||
| |||||||||
Current Filter: Security>>>>>Feature> Defences put to the test Editorial Type: Date: 03-2015 Views: 2571 Key Topics: Security Penetration Testing Cybercrime Key Companies: Quotium Nettitude First Base Technologies Acunetix Key Products: Key Industries: Education Insurance | |||
| Penetration testing is a key weapon for establishing how secure networks, infrastructures and public-facing applications are running as part of an organisation's IT - helping them understand the risks they face from attacks by malicious users or hackers. The main difference between Black Hat hackers and White Hat/Ethical hackers (pen testers) is that pen testers only attack web applications when instructed to by an organisation. Black Hats, however, attack any surface, any time, all the time. Like it or not, organisations are beings hacked continuously, only not by the ones they pay to do it, but by those who have a whole lot more to gain through breaching data confidentiality, integrity or availability (CIA)." So warns Adam Brown, UK manager, Quotium, who points out that the pen test an organisation gets is only as good as the pen tester that executes it. "Results can be variable and consumers of pen testing services must be wary of this. More important than this is that the security of the target system is known only for the moment at which the test is completed. The instant there is a change to the release, build or configuration, be it a patch, software release or even hardware change, the security posture of the target system is no longer known, so a repeatable process is required."
POSITIVES AND NEGATIVES To do a thorough web application security test, first the attack surface has to be analysed. This has to be achieved through following 'user journeys'. "For example, an insurance web application will have a quote and buy process where certain prerequisites must be satisfied to move from page to page, such as registration numbers, valid address, valid date of birth etc. To this end, the QA team can be very useful. However, their ability typically stops there, as they are not hacking experts. That said, as the application changes their knowledge becomes even more valuable, as they can highlight any new or changed facets in the presentation layer" A meticulous way forward is to have an experienced and motivated expert try to breach the application, he suggests. "Typically, scanning tools would comprise the first sweep, then manual effort to both prove and disprove findings, as well as experience and knowledge of the application to attempt exploits. At the end of the process, a high quality report can be expected, stating any findings."
ABOVE AND BEYOND "We must also bear in mind that new bugs are constantly being revealed, meaning that, until we put fixes or patches in place, our network is made vulnerable to attacks. Just last year, we had three major security vulnerabilities which affected most networks. These were HeartBleed, POODLE and Shellshock, and such high-profile and dangerous bugs simply can't wait for the annual pen test to be identified and fixed. Every admin should also be a security expert and ensure that their network does not leave any backdoors open for hackers." It's vital that this work is ongoing, he adds. "All the changes which are implemented on a daily basis need to undergo a security review. If, for example, there is a new website, even if it's a portal which is only used internally, the site should undergo a web security scan to ensure that the site is not at risk of vulnerabilities such as SQL Injection or Cross Site Scripting, which can easily be exploited by a hacker.
| ||
Like this article? Click here to get the Newsletter and Magazine Free! | |||
Email The Editor! OR Forward Article | Go Top | ||
PREVIOUS | NEXT |