Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling

Re^3: Web Application Security Vulnerability testing

by afoken (Chancellor)
on Nov 06, 2012 at 06:06 UTC ( #1002415=note: print w/replies, xml ) Need Help??

in reply to Re^2: Web Application Security Vulnerability testing
in thread Web Application Security Vulnerability testing

Fortunately my company and boss know better than to trust me with actually implementing application security testing.

Nice. But make sure everyone learns that even constant security checks won't prevent a clever attacker from finding an obscure path through your system.

Once, one of my systems was tested by a well-known organisation for one of the clients. They found a problem with the login function: In a certain combination of operating system and database, it was possible to test account names for existence. So, an attacker could significantly reduce the number of combinations of names and passwords to be tested. Of course, this was not expected behaviour, and I removed that bug.

But: They did not find a way in, so they did not test anything else. The client was happy with that, the system earned its "tested by $organisation" stamp, and now it was "secure" and could be used.

It seems none of the testers even thought of calling technical support, pretending to be one of the users that (s)he found during the login tests and have the password of that account reset or revealed.

None of the testers asked for a test account to try to attack the system from the inside.

None of the testers asked for the source code.


Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
  • Comment on Re^3: Web Application Security Vulnerability testing

Replies are listed 'Best First'.
Re^4: Web Application Security Vulnerability testing
by squimby (Acolyte) on Nov 08, 2012 at 00:26 UTC
    I know that sentiment. The most popular phrase I hear is 'Security is a process, not a product,' and I think the second most popular one needs to be 'The weakest element in any IT network is the people who use it.' Needless to say, now we have procedures for resetting passwords and verifying users on the phone to mitigate social engineering attacks. Now I sleep better at night.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://1002415]
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others romping around the Monastery: (5)
As of 2023-12-08 19:18 GMT
Find Nodes?
    Voting Booth?
    What's your preferred 'use VERSION' for new CPAN modules in 2023?

    Results (37 votes). Check out past polls.