You can't secure what you don't acknowledge.SM

Wednesday, September 5, 2007

Why I love testing Web applications

I get the question "What part of security do you like the best?" quite often. The first part of my response is always "security testing". Any given network has lots of weaknesses - regardless of how much it's locked down and I love trying to find and point out all the flaws. [My wife used to say I was really good at pointing out other flaws, but I've since worked past that personality quirk. It is an interesting tie-in though. ;-)]

The second part of my response to this question is "Web applications!". I've seen - and still do see - a lot of vulnerabilities across a lot of operating systems, wireless networks, and network infrastructure devices earning a living performing security assessments. The thing is that most of these vulnerabilities are pretty predictable. Missing patches here - missing passwords there - unhardened systems everywhere. Beyond these basics, as of late I'm really growing to enjoy performing Web application assessments. Here's why:
  1. They're all different
  2. They're ever changing
  3. They can be extremely complex (read: more chances for security problems)
  4. There are no real standards for locking them down like there are for operating systems, wireless, etc. because they're all so unique
  5. There's no way that all developers are going to think to secure everything
  6. Much to the chagrin of executives and even certain developers, no firewall in the world is going to protect against poor application logic!
  7. There are a lot of great Web application scanners including some free ones to help take the pain out of the testing process. [Web vulnerability scanners won't find everything though! They're only about 50% of the equation. Human context and reasoning picks up where they leave off.]
The bottom line is that Web applications are almost always riddled with security problems that someone, somewhere didn't think about along the way. So, if you're wanting to know what area of security to focus on over the next...oh, decade, you can't go wrong with Web applications. They're here to stay and they're out there full of holes waiting to be found and plugged.

No comments:

Post a Comment