perspective The top two threats facing organizations today are Web-based applications and end users, according to information security researcher the Sans Institute.
Vulnerabilities affecting Web applications account for almost half of the total weaknesses seen, Sans says. They are being exploited to convert trusted Web sites into malicious servers that can launch client-side exploits that are usually delivered via a Web page or an e-mail, such as in phishing scams.
Considering the large number of vulnerabilities that are found in Web-based applications, it is of great importance that security is built into applications early on in the software development lifecycle--and that they are tested regularly to identify and remove flaws as soon as possible.
During the development process, tools such as source code analyzers will do much to identify flaws in the application code. However, even the best source code reviews will be unlikely to uncover all vulnerabilities.
Therefore the best practice is to take a multi-tiered approach to testing software applications for security flaws, by using static code and dynamic program analysis along with vulnerability assessment and scanning tools, and penetration testing.
Scans and assessments are useful for locating potential risks by pinpointing flaws in the application that have manifested themselves into full blown vulnerabilities. For example, when an application is added to the network, the interactions that it has with other pieces of network infrastructure could cause a vulnerability to arise that could not have been seen from just looking at the source code in isolation.
Penetration tests should then be used to seek out those weaknesses that could most readily be exploited. Sometimes also known as ethical hacking, penetration tests are proactive, authorized attempts to compromise security by using the tools favored by hackers in order to see how well applications hold up against real-world threats.
Armed with this information, organizations can then prioritize remediation efforts for the threats deemed to be the most critical.
In the early days of penetration testing, many organizations were sceptical about their use. However, the use of penetration testing has increased considerably, especially in the last year, and is now considered a best practice for ensuring applications are secure.
In fact, such tests have become so widely accepted that one of the newer regulations to affect organizations accepting credit card payments - the Payment Card Industry Data Security Standards (PCI DSS) regulation--specifies their use at least once per year.
But penetration tests have a lesser known benefit over and above remediating against flaws contained in applications themselves: they can be used to test the security knowledge and awareness of computer users so they don't inadvertently compromise security through human errors.
Hackers are increasingly using social engineering techniques such as phishing, where an attacker tries to perpetrate fraud by sending out legitimate-looking emails in an attempt to garner personal or financial information from an end user. In its latest Security Threat Report, security vendor Symantec saw a 66 per cent increase in computers that have been identified as hosting one or more phishing Web sites, probably owing to increased use of automated phishing kits.
Penetration tests allow organizations to set up social engineering attacks, garnering information such as email addresses from vulnerable applications and using wizards and templates to do things such as create an email, associate it with an exploit and send phishing attacks to employees to see how aware they are of security issues and how they respond to such an attack.
In this way, organizations can identify which users are less security-savvy-- and may need some training on how to avoid such scams.
Through the use of integrated security testing, organizations are in a better position to protect against two of the greatest threats to their organizations: exploitable vulnerabilities in their Web-based applications and errors made by end users.
Just remember: testing is not a one-off task and should be repeated at regular intervals or whenever significant changes are made to applications or networks. Hackers are becoming increasingly sophisticated and have an ever-growing range of automated tools at their disposal to help them perpetrate their deeds.
Security tools and penetration tests in particular allow organizations to think and act like hackers--and hopefully outsmart them.
Fran Howarth is principal analyst at Quocirca. She and five other analysts contribute to ZDNet Asia's sister site, Silicon.com, a regular column that seeks to demystify the latest jargon and business thinking.
Play video
There are currently no comments for this post.