Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

3/14/2016
11:30 AM
100%
0%

Understanding The 2 Sides Of Application Security Testing

Everybody likes to focus on the top 10 vulnerabilities, but I've never found a company with a top 10 vulnerabilities problem. Every company has a different top 10.

Application security testing: just defining it is a struggle. If you ask ten experts, you'll get ten different answers -- and they're probably all correct, which is really problematic. Generally, there are two forms. First there’s application security testing and the dynamic testing where you test it at runtime. Then you have the aesthetic analysis, where you test it during development. Just like you have a temperature thermometer and a meat thermometer. These are both ways to measure the temperature of things, but they're for two very different purposes.

When you do dynamic testing and production, what you're really measuring is the production security of the website relative to the “bad guy.” Can they hack the site or not? With aesthetic analysis, the measurement is different. Ideally, the best approach for that type of measurement is measuring how good the software is and try to rid it of the vulnerabilities before they become a production risk.

And finding vulnerabilities in application security testing is very different than exploiting them. There are people who find vulnerabilities very well, but aren’t skilled at exploitation, and then there are people that are very good at exploitation but aren’t able to find vulnerabilities. You could call it the difference between the folks who know how to run sqlmap versus the folks who know how to find SQL injection.

What's interesting is the ethos around that. It is not a one-and-done kind of thing. You find a cross-site scripting or SQL injection vulnerability, but you don't win in five minutes. It might take you an hour or two to find it, the next day or two to extract data, and maybe a week or more to pivot around. The interesting thing about the defense side is that the offense doesn't win in an instant, or even an hour.

Even if you are given root-level access on a banking server, it's going to take you a while to extract data. The defense side gets a little bit of a reprieve if they can detect the attack or even the compromise within a few hours. When they do that, they are doing quite well because they could take what would otherwise have been a very devastating scenario and make it very tolerable. Yes, the bad guy won. But detecting it quickly before any damage is done is the goal.

There are a lot of vulnerabilities out there and everyone needs something easy to wipe them out. It could be one, it could be 50% of them, or it could be all of them. It's really hard to tell, but companies need options to wipe out vulnerabilities.  

When we started really looking for a solution for the remediation and vulnerability management problem at WhiteHat Security, we looked at RASP technologies because they provided easy integration, strong protection, and real-time visibility, allowing companies to neutralize vulnerabilities that are actively being exploited. There are great RASP solutions out there from a range of providers, big and small.          

Everybody likes to focus on the top 10 vulnerabilities, but from my experience, I've never found a company that had a top 10 vulnerabilities problem. Every company has a different Top 10. And it's very important for each company to target and fix the vulnerabilities that are specific to each organization with a solution that can do that easily.

What we all want, at the end of the day, is to see more vulnerabilities getting fixed. We want to see the remediation climb to 70-, 80-, and 90%, and we want to see the hacks go down. 

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jeremiah Grossman, Chief of Security Strategy, SentinelOne, Professional Hacker, Black Belt in Brazilian Jiu-Jitsu, & Founder of WhiteHat Security. Jeremiah Grossman's career spans nearly 20 years. He has lived a literal lifetime in computer security to become one of the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
johannacuriel
50%
50%
johannacuriel,
User Rank: Apprentice
3/27/2016 | 8:03:53 PM
Finding vulnerabilities vs exploiting them vs risk
Nothing could be more certain,that one thing is to find vulenrabilties and another is to exploit them. The article also exposes the fact how much time both of these activities can take. What about focusing on assesing risks? That could be the 3rd side of application security. The fact that you have found a vulnerability and maybe is exploitable , does not necessarily mean that represents a risk to the organization. Example: SSL vulnerability such as DROWN in a website that does not have any authentication forms, and only displays information, does not represent a risk. One can even ask , why even use HTTPS? Why even do a pentest? The example is quite crazy but hope it clarifies my point
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7822
PUBLISHED: 2020-08-04
DaviewIndy has a Heap-based overflow vulnerability, triggered when the user opens a malformed image file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution.
CVE-2020-7823
PUBLISHED: 2020-08-04
DaviewIndy has a Memory corruption vulnerability, triggered when the user opens a malformed image file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution.
CVE-2020-6012
PUBLISHED: 2020-08-04
ZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the report from a directory with low privileges. A sophisticated timed attacker can replace those files with malicious or linked content, such as exploiting CVE-2020-0896 on unpatched systems.
CVE-2019-20001
PUBLISHED: 2020-08-04
An issue was discovered in RICOH Streamline NX Client Tool and RICOH Streamline NX PC Client that allows attackers to escalate local privileges.
CVE-2020-15467
PUBLISHED: 2020-08-04
The administrative interface of Cohesive Networks vns3:vpn appliances before version 4.11.1 is vulnerable to authenticated remote code execution leading to server compromise.