|
Top Security News |
Review: SpiDynamics Web Inspect
Every once in a while, you run into a tool that becomes an essential member of your tool kit, like snort for IDS, Nessus for scanning a network, the new version of...
Corporate Email Wanders
Technewsworld is running a story on company personnel who forward company e-mail to their MSN, Google, Yahoo, or other hosted e-mail accounts. So after spending all that money to secure your corporate e-mail systems...
Insider Threats
Organizations in many ways contribute the actions of their employees. Either through not wanting to lose a star player who sometimes does things that they...
Computer Security Still Damaged By Social Engineering
Interesting article out of CIO magazine about Vista, and that while it is a highly secure operating system, with some neat things it can do, it still is not invulnerable to those programs that require social engineering to...
Collaborative Information Security Next?
Have anyone ever been on the phone with a client after the job, where the client wants more information, needs a copy of the report, or just wants to spend some...
EBay Launches Web Smart Guide For Safety
According to a recent survey, a lot of Australians feel the online world is becoming a safer place to shop - 76 percent, to be exact. A significant portion - 58 percent - "did not think the industry was doing enough to...
|
|
|
02.14.07
Penetration Testing Vs. Vulnerability Analysis Tools
 By
Dennis Hurst
Over the past several years I have heard people asking the question "should I use vulnerability analysis tools to assess my web based applications or should I look to penetration testing?"
I think we, as an industry, may be asking the wrong question. First, let's look at how the web application industry has grown over the years and how penetration testing has scaled to meet that challenge.
Pre-2000
Before the year 2000, some companies had a web site for marketing purposes and a few companies were starting to do a little business on the web. There were of course a lot of DotComs around selling things on the web, but real "brick and mortar" businesses were just using the web as a marketing tool. The brick and mortar businesses who understood security started asking their experts in penetration testing to check out these web applications. Using some simple vulnerability analysis tools, those penetration testing experts did a good job checking for simple web application security issues. There were a few people running around that really knew how to test a web application, but not many. At this time, there were a few open source vulnerability analysis tools in existence, but the market was in its infancy.
Early 2000s
After the DotCom bust, companies actually started to use the web and web-based applications for both internal and external applications. Most applications still existed on non-web-based platforms, but developers started moving their legacy applications into web-based environments. Developers found that creating a web-based application was a bit more complicated, but deploying it via a browser made it all worthwhile. In addition, customers now wanted to transact their business via the web, and as a result, companies started to provide some of their services via a web application.
Security commonly responded to this change in one of two ways. One approach that worked was to hire or contract more penetration testing experts and to try to test all web-based applications before they went live. This worked in some cases, but usually there was not enough support for the penetration testing so only critical applications were tested, leaving non-critical applications open to attack. The other approach was to assess the web-based application with vulnerability analysis tools before it went live. This approach scaled much better than the penetration testing route, but would frequently miss vulnerabilities that really should have been discovered.
Usually, a combination of stand-alone vulnerability analysis tools and penetration testing was used in an attempt to get full application coverage. This yielded good results, but most security organizations were still quickly overwhelmed by the number of web-based applications that needed to be assessed. Also, this approach typically found vulnerabilities after the application had been developed, tested and was ready for production. This frequently caused companies to go live with vulnerable applications or go back to development and fix the issue.
Continue reading this article.
About the Author:
Dennis Hurst is a Developer Security Evangelist for SPI Dynamics where he works with development organizations evangelizing the need to integrate web application security into their Web development processes. A Microsoft Developer Security MVP, Dennis has more than 15 years experience in the Information Systems/Application Development industry, and he is an expert in computer applications and networks.
|
