This post was originaly posted by me on blog.sogeti.com
At the time of writing, a two-day international conference is underway in London UK, focused on the threat from cyber-security attacks. It’s true that cyber-security is a threat to the whole online community. We’ve seen a lot of hacks from groups like Anonymous Hackers. These hacks can be used for malevolent purposes, but also maybe for good – like in this video:
The Anonymous Hacker Group threatens Mexico’s Zetas Drug Cartel to release information on their members. I don’t agree on the things Anonymous does, but I certainly don’t agree with drug cartels. But let’s think of this. The drug cartel is holding an Anonymous member hostage and as a response Anonymous threatens to release personal data on the Zetas Drug Cartel. The result will be that the identity of the cartel members will be made public, so everybody will know who they are. It seems it’ll solve a problem that intelligence agencies cannot solve.
But there’s maybe one question. Who checks the data? Anonymous? What if the data is incorrect? Innocent people will be associated with the drug cartel. And what if an Anonymous member has a grudge against someone like you or me?
But hacker groups like these are not the main threat for most companies. Hacker groups can help companies by showing them the flaws in their systems – and when these companies don’t listen, the hackers try and break in – to prove the point. The bigger problems are the sub groups surrounding these hacker groups. Intelligence is often shared with these groups who have a different (and less well meaning) motivation. They try and break into systems whether on your mobile, your tablet, your laptop, your server or even your data centre. Their objective is to make life miserable for you because they just want to have fun.
In my personal opinion, it’s almost impossible to defend against a group like Anonymous Hackers; if they want to break in, they can and they will. This is the same for your house or office. If a real burglar wants to break in, he/she will. But there are also ‘wannabe’ burglars and ‘wannabe’ hackers. They know only a little but they use this knowledge for their own advantage. But you can keep these ‘wannabes’ out – out of you home/office and out of your systems. But how?
Well there are many ways to keep them out, but before you keep them out, you need to know what to protect. Just a lock on the door isn’t enough. That’s why you need to know how secure your application is. Or how safe it should be. Security should be an essential part of the quality of a business process and should therefore be part of all applications developed. So you need to have insight in the security of applications, and this can be done by testing the security.
In the development and maintenance of applications, security should be an essential part of requirements, design and development. And to demonstrate that applications are safe, security should be tested for. Why?
- Users expect good quality and have the confidence that the application is safe. When no insight into the security risks exists it’s not possible to tell this to the users.
- From legislation and rules like Privacy Acts, PCI-DSS, SAS70 or SOx, it’s a requirement that security is in order. The proof for this can be found by executing tests.
- Sometimes it’s necessary to demonstrate that the application is sufficiently safe for various forms of damage. No one wants negative publicity or be confronted with all kinds of claims. Testing shows the status of safety.
Note: Testing provides insight into the quality, but doesn’t improve the application. When bottlenecks are found they are identified and improvements made.
Testing for security risks encompasses many types of tests or reviews including these options:
- A ‘spotlight security scan’ provides a limited indication of the security of an application. This is a one-or two-day scan on the most critical part of the application, which provides good advice on further steps in application security, particularly to follow-up on any issues uncovered;
- ‘Functional security testing’ has a strong focus on what the application should not do, and looks at how it might be misused;
- A ‘code review’, a static security test that looks at the source code. It can be highly effective because it’s done early in the development process, when the application has not been completed (this is the same with Static Analysis). The code review scans the code to show security weaknesses and when done early in the process, creates awareness among the whole project team and stakeholders which can lead to early improvements and major savings for the remainder of the project.
- A full ‘security assessment’ or penetration testing is a thorough investigation that provides insight into the safety of the application., but also the network activity and the infrastructure.
By gaining more insight into application weaknesses it’s possible to keep the ‘wannabee’ out and create a safer application.