Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re^3: Web Application Security Vulnerability testing

by afoken (Parson)
on Nov 06, 2012 at 06:06 UTC ( #1002415=note: print w/ replies, xml ) Need Help??


in reply to Re^2: Web Application Security Vulnerability testing
in thread Web Application Security Vulnerability testing

Fortunately my company and boss know better than to trust me with actually implementing application security testing.

Nice. But make sure everyone learns that even constant security checks won't prevent a clever attacker from finding an obscure path through your system.

Once, one of my systems was tested by a well-known organisation for one of the clients. They found a problem with the login function: In a certain combination of operating system and database, it was possible to test account names for existence. So, an attacker could significantly reduce the number of combinations of names and passwords to be tested. Of course, this was not expected behaviour, and I removed that bug.

But: They did not find a way in, so they did not test anything else. The client was happy with that, the system earned its "tested by $organisation" stamp, and now it was "secure" and could be used.

It seems none of the testers even thought of calling technical support, pretending to be one of the users that (s)he found during the login tests and have the password of that account reset or revealed.

None of the testers asked for a test account to try to attack the system from the inside.

None of the testers asked for the source code.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)


Comment on Re^3: Web Application Security Vulnerability testing
Re^4: Web Application Security Vulnerability testing
by squimby (Acolyte) on Nov 08, 2012 at 00:26 UTC
    I know that sentiment. The most popular phrase I hear is 'Security is a process, not a product,' and I think the second most popular one needs to be 'The weakest element in any IT network is the people who use it.' Needless to say, now we have procedures for resetting passwords and verifying users on the phone to mitigate social engineering attacks. Now I sleep better at night.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1002415]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (6)
As of 2014-07-23 04:52 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (133 votes), past polls