March 24, 2010

Help Net Secruity

Q&A: Web application security testing


As the CTO and VP of Engineering at Cenzic, Lars Ewe has a broad background in (web) application development and security.
In this interview he discusses issues related to web application security testing.

What are the most important things to keep in mind when testing websites and web applications for security flaws?

First of all, start doing so ASAP should you not do so already! Secondly, make sure you do so regularly. This isn’t much different from any anti-virus software (AV SW). You want to scan your site regularly, to ensure that you’re keeping up with the latest and greatest attack vectors and any site updates. Also keep in mind that your websites are most likely going through some amount of change on a somewhat regular basis. Depending on your level of in-house expertise you can either choose to perform scans yourself, or work with a 3rd party to help you do so.

What are the pros and cons of using remote vs. in-house security testing?

One is obviously domain expertise, or the lack thereof in-house. The other can be “authority”. We have seen quite a few cases where SaaS customers tell us that their development teams take results delivered by 3rd parties more seriously and tend to question them less than in-house scan results. The other aspect is cost. The cost structures different between both approaches. Choosing the right approach or a “hybrid” approach is highly dependent on the exact circumstances.

Based on your experience, what are the biggest misconceptions when it comes to security testing?

There are still many folks out there that think that they don’t need any web app security testing since they have sufficient network security protection in place. Unfortunately they fail to realize that both port 80 and 443 are huge holes in their network armor and that their existing investments are most likely not effective to protect them against web app attacks.

Many folks still seem to think that testing their app once (usually sometime after it has gone online or maybe during the staging phase), is sufficient. Regular testing is required, very similar to AV SW.

While WAFs have come a long way, they still provide only limited protection, as more complex attack vectors are almost impossible to protect against with current WAF technology. This is not to sat that WAFs aren’t valuable. They certainly have a place in the overall picture, particularly when combined with blackbox testing and subsequent automated configuration of the WAF based on blackbox findings, but they simply cannot replace the need for thorough security testing. And then there are various misconceptions WRT quality of results between blackbox vs. whitebox vs. manual pen testing. In short, a healthy combination of all three is obviously best, but in case of limited budget I strongly recommend starting with blackbox testing, as it tends to provide by far the best price/coverage/results ratio from all three approaches.

When it comes to security testing, how deep does the rabbit hole go? Should organizations just make sure they're compliant or does it pay to cover all bases?

As with so many things in life this basically comes down to risk management. A good solution does provide sufficient risk management metrics to help you decide the right mix based on risk metrics / criteria, and your own comfort level of risk you want to take. In the perfect world you would obviously try to cover all bases, but in real life you will likely have to manage your resources due to limited means. This is similar to any other insurance you buy. First you want to analyze and better understand and quantify the risk and possible “what if” scenarios, then you can decide on the right level of insurance based on the collected data. A good solution will provide you enough high-level data to help you decide where to invest more time & money on testing and remediation and where you might be ok as is (based on your own risk criteria). This is another reason why blackbox is the best approach to start with. Blackbox is the best way to provide a quick risk management assessment across the board.