Prevent data leaks with web application security testing
We hear about it all the time. Companies hacked, data breaches and information stolen. Hackers do this for many reasons, but companies get their reputations damaged and sometimes have to face liability claims for the information that was stolen from them. In this age it is the responsibility of the companies to keep the data entrusted to them safe from these threats. Web application security testing is a concise tool for identifying where security holes exist and provides insight on severity, as well as how to fix them.
How do cyber hackers get in?
They get in through numerous ways. Among them, exploiting anything you have facing the internet. This could be web servers, services you provide to customers, e-mail delivery systems or an unknown hole you may have open. Anything that is exposed to the internet is risky. Patches can help with servers themselves, but what about services you provide? Is code or a web site that you have written vulnerable to exploitation? How can you be sure?
Many programs and web applications have openings. For example, Microsoft releases a security bulletin every month with a list of updated vulnerabilities and patches as new ones are found on just their servers. Your in-house code or websites can be just as vulnerable. How do you keep up with patches on that? The chart below (taken from from an actual Veracode web application security scan result) represents flaw types by severity and category so you know which ones need to be taken care of first.
Are you exposed?
Every day, hackers come up with new ways to exploit things and share them among themselves. It is important to know what they are doing in order to protect your own systems. Having a trusted third party that knows what techniques hackers use can be a key test. This is one of the major web application security best practices, as the third party can help detail the current security state and where the environment should be. Conducting outside penetration testing, vulnerability assessments, PCI security audit compliance testing and obtaining remediation consulting are all very helpful when coming from a trained third-party provider. Web application security testing identifies errors down to the exact line of code and reveals the level of severity of the flaw. The graph below, also taken from a Veracode web application security scan, shows how many flaws exist and categorizes them by severity.
Do your Web apps have code exploits?
Most programs use pre-packaged segments or parts that were used in other programs. Since this can quickly add up to thousands of lines of computer code it can be nearly impossible to tell if there is a hole in it that can be used to exploit it. Errors in compilers can cause even more errors that you may not even be able to see in the code itself. The chart below outlines severity levels, a description of each and whether or not the code needs to be modified.
What about other security holes?
Sometimes unintentional holes are left open. Servers get removed or are just given too many permissions. Holes like VPNs are deliberately left open for maintaining things. Do you know where they all are? Are there safeties in place on them and do they have vulnerabilities? The chart below shows flaws found via dynamic scan. The respective flaw ID matches with a specific flaw, such as improper access control.
Real world examples:
It is hard to forget the TJ Maxx incident years ago. They were hacked using SQL injection on vulnerable web code. Once inside the hacker started some packet sniffers and quietly stole data for months before they found out. Sony had a similar hack on the Play Station Network, compromising usernames, passwords, birth-dates and the like. They are still trying to fix their image after that one. CardSystems got hacked and after their contracts were pulled due to the fiasco they sold themselves off to a company that no longer exists. These are just a handful of examples of systems hacks that have cost companies hundreds of millions of dollars and their reputations. Check out our list of 2013’s top hacks thus far.
Prevent leaks before they happen with web application security testing
So what can we do? Patching the servers and perimeter systems is good. Isolating those systems from the core network in a DMZ is good. But if your company connects to the internet, it could be vulnerable. Anything from the firewall you use to connect your branch offices to your company website could be a potential entry point. It is important to find out what you have and what needs to be reviewed, primarily based on business criticality.
How can you check these things?
There are IT companies that specialize in this type of web application security testing, such as Black Diamond Solutions. Not just penetration testing, but actually checking your code against the latest security exploits. We can even cross-check your subnets to find any other exposure you may not even know about. Contact us to request a free web application security scan using the Veracode platform, and from there we can advise on further actions.
Latest posts by Michael McLaughlin (see all)
- Prevent data leaks with web application security testing - September 6, 2013
- ZFS – A look into a powerful open source file system - August 14, 2012