Web Security Blog

Web Application Security Testing - Focusing on the Endgame

 Email Article  

Tweet  

  

 delicious  

  

It is not difficult to engage a company to perform a web security test or penetration test - there are many to choose from.  Selecting one that is going to deliver reliably and support your endgame is altogether a different challenge.

Chances are you will be diligent in your research and find a selection of companies that are experienced and trustworthy.  They will have evidence of the thoroughness and quality of their service - accreditations, awards and customer references - and perhaps security testing is their core business.  They should also align with the industry standards, with an ability to work to project timeframes and might even throw a free re-test into the bargain. 

Some of these qualities are fundamentally important and help establish trust - but are you actually focusing too much on the company at the expense of the endgame?  

What most organisations really need from web application security testing is a complete understanding of real risks, clear guidance to help  improve security and comply with industry best practice and a method of maintaining and proving this high level of security going forward, continuously.  

A security test should not be simply a snapshot but a means of taking what has been learnt and improving our practices, ensuring that we raise standards and then keep them raised.

In order to achieve this, it is essential that we are aware of the real security risks facing our web applications, our underlying information and our business.

Through a process of threat profiling - or threat modeling - we are able to examine and record the relevant threats to our business applications before any testing actually takes place. 

The subsequent tests are then purely focused on a well researched and agreed set of security threats, rather than purely executing a barrage of standardised technical tests.

Having identified and tested against relevant threats, we can then easily relate technical and logical vulnerabilities to security threats.  By doing so, we establish the true security risks - this in turn, helps us direct and prioritise our remediation efforts. 

As standard, findings should be benchmarked against global security standards in order to see where we fall short.  It is important to qualify and quantify the gap between our own security and security best practice - then to raise our game and fill the gap.

Most importantly, we need to turn our attention from the results of the test to the recommendations.  These must be set out clearly in an easily accessible, yet private and secure, format.  

We need concise and actionable recommendations if we are going to quickly improve our web application security.   To help maintain these standards going forward we require access to relevant further reading, training and a process to incorporate these secure practices into the development process.

This is essential not only for our own peace of mind, but for the reassurance of third parties and other stakeholders.  We need to be able to prove that our environment is a safe place for others.