Re: Security Testing

[Bill Pennington <billp () boarder org>]

For good web application security papers I would recommend 2 sites:

OWASP - http://www.owasp.org
CGISecurity - http://www.cgisecurity.org/ Mainly the Library section 
http://www.cgisecurity.org/lib/index.shtml

I would generally recommend having a separate team perform security 
testing and not the developers. Hopefully you do not have developers 
performing QA functions, security testing is no different.

Security testing generally should be performed during the QA stage of 
application or directly after QA. When I use the term QA I am referring 
to the functional testing of the application, i.e. does it work? I like 
to perform security testing after the functional testing has already 
taken place. It takes longer to test something that doesn't function 
correctly in the first place. A typical system development cycle would 
look like this:

1. Spec
2. Develop
3. Functional QA testing
4. Security QA testing
5. Go live.

There are of course loops back into Dev. during steps 3 and 4 when bugs 
are encountered.

There is a political issue with this methodology that must be pointed 
out. The security testing is the last thing before the app. goes live. 
This can put a tremendous amount of pressure on the security testers as 
must products have deadlines and go-live dates that someone is going to 
get a bonus if they are meet. This sets up a pretty bad situation where 
the security tester may not perform a diligent job due to adverse 
pressures or vulnerabilities might by overlooked or classed as 
"Acceptable risk" by management just so the deadline can be meet. I 
have not found a good way around this yet other than to make sure you 
have all risk acceptance issues in writing and signed.

I strongly feel you should have a team dedicated to doing this type of 
testing. You can do this in house or hire consultants. Consultants can 
get expense if you are performing a lot of assessments but for 1-5 a 
year it might be worth an outsiders perspective. Experience really 
matters when testing web applications. I have performed around 350 of 
them in the past 4 years and I am still running into new things and new 
ways people have coded really insecure apps. Also I really mean you 
need a team. It is very difficult for one person to be an expert on all 
the issues that surround web app. security. In a corporate environment 
it might be a bit easier since there are theoretical standards in 
place. (Like we only use IIS, ASP, MS SQL server). The issue you will 
run into though is that you will be asked to test a biz. partner that 
will be using (iPlanet, JSP, and Informix).

Well I have rambled enough, hopefully I have given you a few things to 
consider. Feel free to ask me more questions.

On Monday, March 3, 2003, at 10:09 AM, Ramirez, Manuel N (CORP, 
DDEMESIS) wrote:

> Hi everybody,
> I was wondering if some of you have some papers regarding web 
> applications security testing. I'm working on a CMM iniciative and we 
> are planning to include a security testing phase so every new 
> developed application is security-error free.
>
> Would you recommend every development team to perform security testing 
> or it's better to have a group of experienced people doing these 
> activities for all of the developed applications?
>
> Best regards,
> Manuel
---
Bill Pennington, CISSP, CCNA
Senior Information Security Engineer
WhiteHat Security Inc.
http://www.whitehatsec.com