Application Security
3/14/2016
11:30 AM
100%
0%

Understanding The 2 Sides Of Application Security Testing

Everybody likes to focus on the top 10 vulnerabilities, but I've never found a company with a top 10 vulnerabilities problem. Every company has a different top 10.

Application security testing: just defining it is a struggle. If you ask ten experts, you'll get ten different answers -- and they're probably all correct, which is really problematic. Generally, there are two forms. First there’s application security testing and the dynamic testing where you test it at runtime. Then you have the aesthetic analysis, where you test it during development. Just like you have a temperature thermometer and a meat thermometer. These are both ways to measure the temperature of things, but they're for two very different purposes.

When you do dynamic testing and production, what you're really measuring is the production security of the website relative to the “bad guy.” Can they hack the site or not? With aesthetic analysis, the measurement is different. Ideally, the best approach for that type of measurement is measuring how good the software is and try to rid it of the vulnerabilities before they become a production risk.

And finding vulnerabilities in application security testing is very different than exploiting them. There are people who find vulnerabilities very well, but aren’t skilled at exploitation, and then there are people that are very good at exploitation but aren’t able to find vulnerabilities. You could call it the difference between the folks who know how to run sqlmap versus the folks who know how to find SQL injection.

What's interesting is the ethos around that. It is not a one-and-done kind of thing. You find a cross-site scripting or SQL injection vulnerability, but you don't win in five minutes. It might take you an hour or two to find it, the next day or two to extract data, and maybe a week or more to pivot around. The interesting thing about the defense side is that the offense doesn't win in an instant, or even an hour.

Even if you are given root-level access on a banking server, it's going to take you a while to extract data. The defense side gets a little bit of a reprieve if they can detect the attack or even the compromise within a few hours. When they do that, they are doing quite well because they could take what would otherwise have been a very devastating scenario and make it very tolerable. Yes, the bad guy won. But detecting it quickly before any damage is done is the goal.

There are a lot of vulnerabilities out there and everyone needs something easy to wipe them out. It could be one, it could be 50% of them, or it could be all of them. It's really hard to tell, but companies need options to wipe out vulnerabilities.  

When we started really looking for a solution for the remediation and vulnerability management problem at WhiteHat Security, we looked at RASP technologies because they provided easy integration, strong protection, and real-time visibility, allowing companies to neutralize vulnerabilities that are actively being exploited. There are great RASP solutions out there from a range of providers, big and small.          

Everybody likes to focus on the top 10 vulnerabilities, but from my experience, I've never found a company that had a top 10 vulnerabilities problem. Every company has a different Top 10. And it's very important for each company to target and fix the vulnerabilities that are specific to each organization with a solution that can do that easily.

What we all want, at the end of the day, is to see more vulnerabilities getting fixed. We want to see the remediation climb to 70-, 80-, and 90%, and we want to see the hacks go down. 

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jeremiah Grossman, Chief of Security Strategy, SentinelOne, Professional Hacker, Black Belt in Brazilian Jiu-Jitsu, & Founder of WhiteHat Security. Jeremiah Grossman's career spans nearly 20 years. He has lived a literal lifetime in computer security to become one of the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
johannacuriel
50%
50%
johannacuriel,
User Rank: Apprentice
3/27/2016 | 8:03:53 PM
Finding vulnerabilities vs exploiting them vs risk
Nothing could be more certain,that one thing is to find vulenrabilties and another is to exploit them. The article also exposes the fact how much time both of these activities can take. What about focusing on assesing risks? That could be the 3rd side of application security. The fact that you have found a vulnerability and maybe is exploitable , does not necessarily mean that represents a risk to the organization. Example: SSL vulnerability such as DROWN in a website that does not have any authentication forms, and only displays information, does not represent a risk. One can even ask , why even use HTTPS? Why even do a pentest? The example is quite crazy but hope it clarifies my point
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.