WebApp Sec mailing list archives
RE: Security Testing
From: "Brass, Phil (ISS Atlanta)" <PBrass () iss net>
Date: Mon, 3 Mar 2003 16:01:55 -0500
The first thing you are going to need is some kind of control over each application requirements document. In every requirements document, there is going to need to be a high-priority, un-deferable requirement for zero high-risk security exposures, and some definition of what is meant by that - secure from anonymous people, secure from users, secure from people who have read the source, etc. This is probably the most crucial step, and will save you boatloads of money. If it's not in the requirements, then it won't always happen in engineering, which means it won't get caught until QA or some external audit, at which point the application may need to be shut down and fixed, or possibly re-architected. Making it a priority from the start, which means putting a line in the actual requirements document, is the signal that management "buys-in" to the security idea. Next I would recommend that you have (at least) one of your engineers be the "security architect". This is the guy who is going to have to know all about web application security exploits, and safe web application coding techniques to avoid them - this means he goes to black hat & defcon & reads all the whitepapers and *definitely* subscribes to this list. To get your money's worth, find somebody this appeals to on the dev team, don't give it to somebody who thinks "Oh geez, I have to learn all this HTTP nonsense". Like most architecture people, he is going to need decent people skills cause he is going to be in the business of telling the other engineers what they are doing wrong and getting them to do things right. Suggestions that engineers should not test the security of the code are well-intentioned but misguided. Having the engineers write test-drivers for their code is an excellent practice and can ensure higher productivity and fewer bugs. This is true for the security area as well, where an engineer who understands web application security exposures *and* who knows how the application works could quickly write tests for crucial issues. While some would say that developers might be motivated to cover up security issues, my experience with development (admittedly limited to working with highly-motivated world-class engineers) is that you are far more likely to have product managers and engineering directors (i.e. those with substantial bonuses on the line) try to cover up or defer issues than you are to have engineers do so. But rather than blindly trust in the engineering pride-of-ownership, we should institute some checks and balances. This means the QA staff should also be testing for security weaknesses. At least one person on the QA staff should also have a good understanding of web app security, and a knowledge of how to exploit web app bugs. Because of the requirements document, security bugs that are found by QA should be high priority and as non-deferable as possible (this is another one of those places where management commitment comes in). The QA staff should be aided by automated web-app security testing tools, and get some training in how to use them. For best results, a periodic external security audit is a good safety net that can help catch things missed by the internal staff. I guess the biggest point is, don't take those who say "only QA should do security testing" literally - in particular, don't make security a non-issue until it gets to QA. Security should be a requirement, a design goal, a bunch of functional items, there should be engineering tests for it if possible, strong QA testing of it, and occasional external review. Starting security in QA is definitely a bad idea. I don't think any of the previous posters would disagree with these points either - this is just a more verbose answer. Good luck with your CMM program! Phil
-----Original Message----- From: Ramirez, Manuel N (CORP, DDEMESIS) [mailto:Manuel.Ramirez () ddemesis ge com] Sent: Monday, March 03, 2003 1:10 PM To: webappsec () securityfocus com Subject: Security Testing Importance: High Hi everybody, I was wondering if some of you have some papers regarding web applications security testing. I'm working on a CMM iniciative and we are planning to include a security testing phase so every new developed application is security-error free. Would you recommend every development team to perform security testing or it's better to have a group of experienced people doing these activities for all of the developed applications? Best regards, Manuel
Current thread:
- Security Testing Ramirez, Manuel N (CORP, DDEMESIS) (Mar 03)
- Re: Security Testing Kevin Spett (Mar 03)
- Re: Security Testing Jeff Williams @ Aspect (Mar 03)
- RE: Security Testing drG4njubas (Mar 03)
- Re: Security Testing planz (Mar 04)
- <Possible follow-ups>
- Re: Security Testing Bill Pennington (Mar 03)
- RE: Security Testing Pitts, Christopher C. (Mar 03)
- RE: Security Testing Brass, Phil (ISS Atlanta) (Mar 03)
- RE: Security Testing scott wood (Mar 03)
- Re: Security Testing Kevin Spett (Mar 03)