Looking at Good Application Security – It’s Not Just about Penetration Testing

(An updated article from article Tek-Tips, originally published in 2010: http://tek-tips.nethawk.net/looking-at-what-makes-good-application-security-knowledge/)

In 2013, there is still a growing reliance on penetration testing to identify all the flaws in the security of systems and applications. This is a flawed approach. While penetration testing is important and we believe a must-do for all new systems and applications being rolled out, if this is all you are doing, you really need to assess your whole security framework and systems development lifecycle. Penetration testing is just an assurance assessment – just one component of how an application should be reviewed/audited/tested by companies.

In the 2010 article, we looked at how fraud as one example will rarely be stopped by penetration testing alone. You could cite numerous other types of breaches of security that penetration testing alone will never help you with.

The full definition of what “security” encompasses is more than just identifying vulnerabilities in code. Many in the security industry are focused to the point of obsession on only vulnerabilities and technical attack vectors….. new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry. It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop.

If it stopped there, we’d never be able to stop a lot of breaches, frauds and “non-policy” behaviour. But, many in our industry, behave and promote the “technical” side as the be-all and end-all and then just want to sell you things that may, (generally not) stop the “technical” side security breaches.

Background:
http://beastorbuddha.com/2009/05/24/application-security-reviews-pitfalls-dangerous-mistakes-and-assumptions/

Companies need to take more of a holistic “system” view versus just an application by application view. This explains where we are coming from:
http://beastorbuddha.com/2009/02/05/system-view-security-vs-application-view-security/

Lets look at “Application Security”. You can vulnerability test, penetration test, security test, run app scanners…whatever you want to call it…but does that give you a decent level of confidence that you know where your issues may lie to prevent fraud/protect your business? Will fixing those problems identified in these types of testing make your organisation more secure? Yeah? Well to a small degree. BUT, what is “security” trying to protect you against? You’ve done this type of testing, but what about:

– Security Architecture; System Development, System Management
– User Administration and Review; Logical Access, Access Controls, Access Review, Segregation of Duties
– Application Administration and Usage; System Maintenance
– System Security; Network Security, Integrity, Confidentiality, Availability, Non-Repudiation, Physical Security, Third Party and External Connections
– Security Logging and Monitoring; Audit Logs, Monitoring
– System Maintenance and Support; System Access, Change Control
– Handling and Storage of Information and BCP; Backup and Storage, Business Continuity Planning, Destruction of Data
– Legal and Regulatory
– Exception to Policies and Standards; Non-compliance Scenarios

If you’re not doing these things as a minimum as part of your application/systems security reviews, you’ll fail and always be wide open to fraud and other business risks.

I question some people’s credentials as “Application Security Experts” when all they can talk about is technical vulnerabilities and attack vectors. That just makes you a coding problem expert who has good hacking skills to break code…not an Application Security Expert. If you want to be an expert in application security, you need to understand a little more and maybe fraud like that mentioned at the start of this post could be averted in many cases.

Applications that cannot be hacked into because they have been penetration tested and problems fixed, and are protected by FWs, IDS/IPS and WAFs are still easy game if you haven’t really looked at the “security” of the applications/systems.

Drazen Drazic

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s