The industry is ablaze with web application security mania. While the topic is by no means brand new, it has been driven to the fore recently through an explosion of highly publicized security compromises and through the increasing demands placed on organizations to assess the posture of their applications in order to comply with standards.
As more and more organizations rely on pen testers to simulate malicious attacks, it has become essential that organizations be poised to assess potential service providers and vendors offering these services. In doing so, organizations can intelligently test their pen testers and thereby get the most bang for their security buck.
With a wide range of companies offering pen testing, organizations need to be prepared to take steps to ensure they are not procuring sub-standard services. Organizations should be in a position to assess prospective consultants against a number of key areas, and also avoid common pitfalls when selecting IT service providers that provide pen testing.
Accordingly, one of the most critical areas of pen testing competence involves the use of a well-defined and established methodology. In addition, with the proliferation of guidelines and reference material freely available, there is no excuse for a weak or ambiguous methodology.
Additionally, a web application pen tester should have a first-rate understanding of how applications are architected and developed in order to effectively assess and evaluate their security posture. The entire secure development lifecycle should be considered – whereby application testing is only a single step in a phased approach comprised of executive sponsorship, awareness, secure development training, threat modeling and source code review – as well as ongoing assessments, remediation and testing processes.
At the same time, organizations should take heed. Overreliance on pen testing tools and automation consistently results in a limited perspective. While application assessment and source code scanners are effective, useful technologies, the blind use of these tools without intelligent manual vetting and further probing will lead to a shoddy assessment, with no value added beyond the tools' output. Failure to comprehend the business logic of the application is a grave mistake and can lead to a number of substantial attack vectors.
Organizations should also be alert to latent agendas and be wary of consultants who might use pen tests purely as a means of driving the sale of technologies. While each of these technologies does have a role to play, the blind use of these tools in isolation, or without fully understanding and addressing the root cause of each vulnerability, is postponing what then becomes an inevitable compromise.
The report quality, thoroughness and completeness of pen tests are crucial. Ultimately, the final report and feedback are the only tangible deliverables for an assessment engagement, and thus, should be as helpful as possible. Recommendations should be clearly defined and prioritized in accordance with business and technical considerations, and must take into account any requirements or constraints that are relevant in the context of the application's function within the organization.
Thus, as chief information security officers and their peers grapple with justifying and allocating budgets for information security assessments, it is important to quantifiably demonstrate the assessments' worth. Searching for the truth in terms of security priorities – as well as ensuring that web application assessments justify the capital outlay and improve overall security posture – will go a long way toward helping organizations derive the maximum benefit from their pen test investments.
Nicholas Arvanitis is solutions architect, security, at Dimension Data.