Application Security
3/14/2016
11:30 AM
100%
0%

Understanding The 2 Sides Of Application Security Testing

Everybody likes to focus on the top 10 vulnerabilities, but I've never found a company with a top 10 vulnerabilities problem. Every company has a different top 10.

Application security testing: just defining it is a struggle. If you ask ten experts, you'll get ten different answers -- and they're probably all correct, which is really problematic. Generally, there are two forms. First there’s application security testing and the dynamic testing where you test it at runtime. Then you have the aesthetic analysis, where you test it during development. Just like you have a temperature thermometer and a meat thermometer. These are both ways to measure the temperature of things, but they're for two very different purposes.

When you do dynamic testing and production, what you're really measuring is the production security of the website relative to the “bad guy.” Can they hack the site or not? With aesthetic analysis, the measurement is different. Ideally, the best approach for that type of measurement is measuring how good the software is and try to rid it of the vulnerabilities before they become a production risk.

And finding vulnerabilities in application security testing is very different than exploiting them. There are people who find vulnerabilities very well, but aren’t skilled at exploitation, and then there are people that are very good at exploitation but aren’t able to find vulnerabilities. You could call it the difference between the folks who know how to run sqlmap versus the folks who know how to find SQL injection.

What's interesting is the ethos around that. It is not a one-and-done kind of thing. You find a cross-site scripting or SQL injection vulnerability, but you don't win in five minutes. It might take you an hour or two to find it, the next day or two to extract data, and maybe a week or more to pivot around. The interesting thing about the defense side is that the offense doesn't win in an instant, or even an hour.

Even if you are given root-level access on a banking server, it's going to take you a while to extract data. The defense side gets a little bit of a reprieve if they can detect the attack or even the compromise within a few hours. When they do that, they are doing quite well because they could take what would otherwise have been a very devastating scenario and make it very tolerable. Yes, the bad guy won. But detecting it quickly before any damage is done is the goal.

There are a lot of vulnerabilities out there and everyone needs something easy to wipe them out. It could be one, it could be 50% of them, or it could be all of them. It's really hard to tell, but companies need options to wipe out vulnerabilities.  

When we started really looking for a solution for the remediation and vulnerability management problem at WhiteHat Security, we looked at RASP technologies because they provided easy integration, strong protection, and real-time visibility, allowing companies to neutralize vulnerabilities that are actively being exploited. There are great RASP solutions out there from a range of providers, big and small.          

Everybody likes to focus on the top 10 vulnerabilities, but from my experience, I've never found a company that had a top 10 vulnerabilities problem. Every company has a different Top 10. And it's very important for each company to target and fix the vulnerabilities that are specific to each organization with a solution that can do that easily.

What we all want, at the end of the day, is to see more vulnerabilities getting fixed. We want to see the remediation climb to 70-, 80-, and 90%, and we want to see the hacks go down. 

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
johannacuriel
50%
50%
johannacuriel,
User Rank: Apprentice
3/27/2016 | 8:03:53 PM
Finding vulnerabilities vs exploiting them vs risk
Nothing could be more certain,that one thing is to find vulenrabilties and another is to exploit them. The article also exposes the fact how much time both of these activities can take. What about focusing on assesing risks? That could be the 3rd side of application security. The fact that you have found a vulnerability and maybe is exploitable , does not necessarily mean that represents a risk to the organization. Example: SSL vulnerability such as DROWN in a website that does not have any authentication forms, and only displays information, does not represent a risk. One can even ask , why even use HTTPS? Why even do a pentest? The example is quite crazy but hope it clarifies my point
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.