You can't secure what you don't acknowledge.SM

Friday, December 16, 2011

AlgoSec & what happens when you don't look for flaws from every angle

I recently had the opportunity to see how well AlgoSec's Firewall Analyzer performs in a real-world security assessment. Long story short, Firewall Analyzer found a weak password on an Internet-facing firewall that would've gone undetected otherwise. A traditional vulnerability scanner didn't find it nor did two different Web vulnerability scanners. Nothing was uncovered via manual analysis either.

Only AlgoSec's Firewall Analyzer found the weakness...no doubt a flaw that would've been exploited eventually.

Folks, information security is about piecing things together. We're never going to find it all but we darn sure need to use every means possible to check for flaws from every possible angle. Underscope your assessments and you're screwed - at best you're living a delusional world. Case in point, I just reviewed a vulnerability assessment report that looked at every single external and internal IP address belonging to a business but not a single marketing site, e-commerce application or intranet portal was tested. And everything checked out "OK". The result that the executives saw was Low Risk Overall.

Wow.

Just like I tweeted about today regarding what Qualys finds in vulnerability scans versus much of the "free" and commercial competition (there's no comparison)...I honestly believe that some big data breaches that have already occurred and have yet to happen will be related to using the wrong tools...or not enough tools...that combined with people not testing all the systems that matter. People aren't looking at the whole picture.

I know, you can't rely on tools alone but by golly you'd better make sure you're not only looking at everything that matters but you're also using the best tools possible when doing your security testing. Here's a new bit I wrote that covers this very subject:
Good Web Security Tools and Why They Matter

2 comments:

  1. Have you looked at the competing product from Tufin and how it compares with Algosec?

    ReplyDelete
  2. I haven't had the opportunity...yet. You?

    ReplyDelete