Application Security
11:30 AM

Understanding The 2 Sides Of Application Security Testing

Everybody likes to focus on the top 10 vulnerabilities, but I've never found a company with a top 10 vulnerabilities problem. Every company has a different top 10.

Application security testing: just defining it is a struggle. If you ask ten experts, you'll get ten different answers -- and they're probably all correct, which is really problematic. Generally, there are two forms. First there’s application security testing and the dynamic testing where you test it at runtime. Then you have the aesthetic analysis, where you test it during development. Just like you have a temperature thermometer and a meat thermometer. These are both ways to measure the temperature of things, but they're for two very different purposes.

When you do dynamic testing and production, what you're really measuring is the production security of the website relative to the “bad guy.” Can they hack the site or not? With aesthetic analysis, the measurement is different. Ideally, the best approach for that type of measurement is measuring how good the software is and try to rid it of the vulnerabilities before they become a production risk.

And finding vulnerabilities in application security testing is very different than exploiting them. There are people who find vulnerabilities very well, but aren’t skilled at exploitation, and then there are people that are very good at exploitation but aren’t able to find vulnerabilities. You could call it the difference between the folks who know how to run sqlmap versus the folks who know how to find SQL injection.

What's interesting is the ethos around that. It is not a one-and-done kind of thing. You find a cross-site scripting or SQL injection vulnerability, but you don't win in five minutes. It might take you an hour or two to find it, the next day or two to extract data, and maybe a week or more to pivot around. The interesting thing about the defense side is that the offense doesn't win in an instant, or even an hour.

Even if you are given root-level access on a banking server, it's going to take you a while to extract data. The defense side gets a little bit of a reprieve if they can detect the attack or even the compromise within a few hours. When they do that, they are doing quite well because they could take what would otherwise have been a very devastating scenario and make it very tolerable. Yes, the bad guy won. But detecting it quickly before any damage is done is the goal.

There are a lot of vulnerabilities out there and everyone needs something easy to wipe them out. It could be one, it could be 50% of them, or it could be all of them. It's really hard to tell, but companies need options to wipe out vulnerabilities.  

When we started really looking for a solution for the remediation and vulnerability management problem at WhiteHat Security, we looked at RASP technologies because they provided easy integration, strong protection, and real-time visibility, allowing companies to neutralize vulnerabilities that are actively being exploited. There are great RASP solutions out there from a range of providers, big and small.          

Everybody likes to focus on the top 10 vulnerabilities, but from my experience, I've never found a company that had a top 10 vulnerabilities problem. Every company has a different Top 10. And it's very important for each company to target and fix the vulnerabilities that are specific to each organization with a solution that can do that easily.

What we all want, at the end of the day, is to see more vulnerabilities getting fixed. We want to see the remediation climb to 70-, 80-, and 90%, and we want to see the hacks go down. 

Related Content:


Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/27/2016 | 8:03:53 PM
Finding vulnerabilities vs exploiting them vs risk
Nothing could be more certain,that one thing is to find vulenrabilties and another is to exploit them. The article also exposes the fact how much time both of these activities can take. What about focusing on assesing risks? That could be the 3rd side of application security. The fact that you have found a vulnerability and maybe is exploitable , does not necessarily mean that represents a risk to the organization. Example: SSL vulnerability such as DROWN in a website that does not have any authentication forms, and only displays information, does not represent a risk. One can even ask , why even use HTTPS? Why even do a pentest? The example is quite crazy but hope it clarifies my point
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
DevOps Impact on Application Security
DevOps Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, its a developers are from Mars, systems engineers are from Venus situation.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.