Fortunately my company and boss know better than to trust me with actually implementing application security testing.

Nice. But make sure everyone learns that even constant security checks won't prevent a clever attacker from finding an obscure path through your system.

Once, one of my systems was tested by a well-known organisation for one of the clients. They found a problem with the login function: In a certain combination of operating system and database, it was possible to test account names for existence. So, an attacker could significantly reduce the number of combinations of names and passwords to be tested. Of course, this was not expected behaviour, and I removed that bug.

But: They did not find a way in, so they did not test anything else. The client was happy with that, the system earned its "tested by $organisation" stamp, and now it was "secure" and could be used.

It seems none of the testers even thought of calling technical support, pretending to be one of the users that (s)he found during the login tests and have the password of that account reset or revealed.

None of the testers asked for a test account to try to attack the system from the inside.

None of the testers asked for the source code.

Alexander

I know that sentiment. The most popular phrase I hear is 'Security is a process, not a product,' and I think the second most popular one needs to be 'The weakest element in any IT network is the people who use it.' Needless to say, now we have procedures for resetting passwords and verifying users on the phone to mitigate social engineering attacks. Now I sleep better at night.