• Solutions
  • Solutions Overview
    • About Our Solutions
    • Determine Exposure to Real-World Threats
    • Perform Continual, Automated Testing
    • Assess Security Across IT Layers
    • Validate Security Controls
    • Connect Security Data to Business Risk
  • Solutions by Industry
    • Financial Services
    • Government
    • Health Care
      • Respond to the HITECH ACT
      • Validate HIPAA Compliance
      • Limit Unauthorized Insider Activities
      • Maximize limited security staffing
      • Drive down Web-based Security Risks
      • Insulate Your Networks from Unauthorized Devices
      • Diminish the Impact of Social Engineering
      • Validate security investments
    • Higher Education
      • Overview
      • Assess exposure to potential data breaches
      • Insulate networks from unmanaged devices
      • Limit unauthorized insider activities
      • Drive down web-based security risks
      • Maximize limited security staffing
      • Diminish the impact of social engineering
      • Validate security investments
      • Meet compliance demands
    • Retail
  • Solutions for Compliance
    • CAG
    • FFIEC
    • FISMA / NIST
      • NIST 800-137
      • NIST 800-39
      • NIST 800-53
    • GLBA
    • HIPAA
    • PCI
    • SOX
    • Validate Security Controls
• Products
  • Products Overview
  • CORE INSIGHT Enterprise
    Security Intelligence Solution
    • Overview
    • How It Works
    • Dashboards
    • Reports
    • What's New
    • Demos
      • CORE Insight Videos
    • Data Sheets and White Papers
    • Comparing CORE INSIGHT to CORE IMPACT
    • How to Buy
  • CORE IMPACT Pro
    Penetration Testing Software
    • Overview
    • What It Tests
      • End-User Security Awareness
      • Endpoint Systems
      • Mobile Devices
      • Network Devices
      • Network Systems
      • Web Applications
      • Wireless Networks
      • IPS/IDS, Firewalls and Other Defenses
      • Vulnerabilities Identified by Scanners
    • Commercial-Grade Exploits
      • Overview
      • Recent Exploits and Updates
      • How Our Exploits Work
      • About Our Client-Side Exploits
      • About Our Agents
    • Vulnerability Scanner Integration
    • Reporting
    • What's New
      • Version 12.3
      • Version 12
      • Version 11
    • Demos
      • Impact
    • Data Sheets, White Papers and Other Resources
    • Intro To Penetration Testing
      • What Is Penetration Testing?
      • Comparing Security Testing Options
      • What To Look For
      • Independent Penetration Testing Resources
      • Conducting Penetration Tests
    • Comparing CORE IMPACT to CORE INSIGHT
    • Training, Certification and Support
    • How to Buy
  • Core WebVerify Web
    Application Security Testing Software
    • Overview
    • Web Application Vulnerability Coverage
    • WebVerify vs. Scanners
    • Reveal Implications of Application Vulnerabilities
  • Core CloudInspect Cloud Security Testing for AWS
  • Demos and Evaluations
  • The Research Behind Our Products
  • Why Our Products are Safe
  • How to Buy
• Services
  • Services Overview
  • Core Security Consulting
    Services
    • Overview
    • Comprehensive Penetration Testing
    • Application Penetration Testing
    • Web Services Security Assessment
    • Source Code Auditing
    • Wireless Penetration Testing
    • Leading-Edge Technology Testing
    • How to Buy
  • CORE IMPACT Professional Services
    • Overview
    • Web Application Penetration Testing Services
    • Network Penetration Testing Services
    • Client-Side Penetration Testing Services
    • Wireless Network Penetration Testing Services
    • Benefits
    • How to Buy
• CoreLabs Research
  • CoreLabs Overview
  • Research Projects
  • Advisories
  • Publications
    • Presentations and Papers
    • Journals and Magazines
    • Internet Articles
  • Open Source Projects
  • CoreLabs Extranet Site
• News & Events
  • News & Events Overview
  • Events and Webcasts
    • Webcasts
    • Conferences
    • Speaking Engagements
  • News
    • Press Releases
    • In The News
  • Reviews
  • Awards
• Partners
  • Partners Overview
  • Strategic Partners
    • Business Partners
    • Technology Partners
  • Training Partners
    • CICT Training and Certification
  • Using Core's Products in Your Consulting Practice
• Company
  • Company Overview
  • Management Team
  • Board of Directors
  • Customers
    • Success Stories
  • Careers
  • Contact Us
• Blog
• Customer Portal

• News & Events

• News & Events Overview

• Events and Webcasts
  • Webcasts
  • Conferences
  • Speaking Engagements

• News
• Press Releases
• In The News

• Reviews

• Awards

SHARE

Security is a component of quality, so QA should perform security testing, says Michael Gavin with Galen Schreck and Thomas Powell

Attackers rely on automated testing tools and technical expertise

Applications are business enablers, allowing people and programs to access the data and information they need to perform their work. Because that information is often the target of an attacker, applications must be designed and implemented based on security requirements as much as they are based on functionality, performance, usability and quality requirements.

Unfortunately, many of the applications deployed today were created without security requirements, or with security requirements based on assumptions that are no longer valid. To protect an environment running such software, an organisation needs mechanisms that find security issues in its deployed applications and prevent those issues from being exploited. There are some automated means of securing applications. Although the existing tools in both categories are promising, they are not sufficient without significant operator expertise.

* Security testing and assessment tools can help find security issues. Application scanning tools can find many problems and are a good first step in solving security issues. Attackers tend to use proxy tools and automated penetration-testing tools; if an organisation’s data is at risk of being attacked, it should use these tools as well.
* Application layer firewalls can prevent exploitation of software security oversights. Application firewalls are complementary to testing tools, and are especially needed because your applications rely on software that you didn’t write, such as Web servers, database servers, and operating system libraries. However, it is better to find and eliminate the vulnerabilities you can than it is to rely on additional security tools to prevent them from being exploited.

Train or hire your own trusted experts to attack your applications

To beat attackers to the punch, organisations need to use the same tools that they use and obtain the same expertise that they have.

* Bring in hired guns for sensitive applications. You should hire experts to test the applications that provide access to your high-value assets; fortunately, such expertise is available. Companies that specialise in application security testing include Security Innovation and WhiteHat Security. Other firms you should consider engaging include FishNet Security, Neohapsis, Solutionary, @stake (acquired by Symantec), Foundstone (acquired by McAfee), and any of the big four consulting firms (Deloitte, KPMG, Ernst & Young, and PricewaterhouseCoopers).
* Teach QA staff to think like attackers, and provide the tools to carry out those attacks. Outsourcing the testing of all your applications is likely to be a very costly proposition. The better option is to outsource only the testing of critical applications, and simultaneously bring the required expertise in-house to test the remaining applications. Although security issues should be addressed throughout the application development lifecycle, you need to start in one place. It makes the most sense initially to bring this expertise into your QA organisation.

Once trained and experienced at testing an organisation’s apps, QA testers can evaluate and determine the best testing tools to use in that environment. Application scanning tools include Application Security’s AppDetective, Cenzic’s Hailstorm, the open source Nikto project, SPI Dynamics’ WebInspect, and Watchfire’s AppScan. Proxy security testing tools include Immunity’s SPIKE Proxy, Maven Security Consulting’s Achilles, and the open source Paros Proxy. Automated penetration testing tools include Core Security Technology’s CORE IMPACT, Immunity’s CANVAS, and the open source Metasploit project. Additional advanced testing tools for researchers, hackers and experienced security testers include reverse engineering tools such as decompilers, disassemblers, debuggers and hex editors.

Executive summary

Awareness of software security issues gained some traction in 2005, and the new wisdom is for enterprises to test applications for security in addition to functionality, performance and usability prior to deployment. If you have never addressed the security of your applications, the best place to start is where the attacker will by probing and testing applications for security problems.

There are three main classes of software security testing tools: application scanning tools, proxy-based tools, and automated penetration-testing tools. Unfortunately, these tools are difficult to compare in a meaningful way, and their use requires expertise in security, testing, and the technologies used by the application. Enterprises will therefore need to either outsource this testing or train quality assurance staff to be security testers. Testing application security will allow organisations to fix or minimise problems before attackers can find and exploit them.

What it means: bring your adversary’s expertise in-house

Fancy tools aren’t enough. Automated testing tools can’t replace smart QA people. Just as attackers use tools and their own expertise, you need to combine tools and expertise to fight them.

* Fancy tools aren’t enough. Automated testing tools can’t replace smart QA people. Just as attackers use tools and their own expertise, you need to combine tools and expertise to fight them.
* The playing field can be levelled. Attackers have had an advantage because they only have to find one exploitable vulnerability to win. You can use their tools and techniques to find those vulnerabilities first. The attacker’s job is now more difficult because he lacks knowledge of your internal systems, and upon finding a weakness might still need to create an exploit for it. By learning his tricks and acquiring and using the same tools before deploying new applications, you can beat the attacker at his own game.

1 Application firewalls are difficult to compare in a meaningful way. The Web Application Security Consortium published its Web Application Firewall Evaluation Criteria, but it really is a first-draft document that needs much more work before it will be truly useful. Source: Web Application Firewall Evaluation Criteria, Web Application Security Consortium, January 14, 2006. Forrester has recently published research on the state of application firewalls in enterprises. See the January 3, 2006 Tech Choices’ Application Firewalls—are they worth the investment?

2 Sources of information for gaining the required expertise include James Whitaker and Herbert Thompson, How to Break Software Security, Addison Wesley, 2004; Greg Hoglund and Gary McGraw, Exploiting Software: How to Break Code, Addison Wesley Professional, 2004; and Arian Evans, Tools of the Trade:
AppSec Assessment Tools, The OWASP Foundation, April 2005.
For more information, contact Forrester India Country Manager Sudin Apte on sapte@forrester.com or phone 020 25674390 / 91.

Source:Expresscomputeronline
http://www.expresscomputeronline.com/20060306/management02.shtml