Many of the companies I have worked with in the past have been fairly progressive when it comes to security assessment. A part of this has been to commission penetration tests by a third party to determine network, OS and application vulnerabilities. Surprisingly, the most difficult part of the process was persuading colleagues to act on issues discovered in a test. This was particularly true for web application vulnerabilities as getting a stressed development manager to redirect valuable resource into fixing security holes was never easy. The main reason for this was often that the security team would find it difficult to articulate the threat level of each problem and hence not communicate the true danger level.
A testing company I’ve engaged in the past, Pentest Ltd, recently brought to my attention a site called The Web Application Firewall Information Centre, whose raison-d’être is to maintain a list of web application security incidents. The site lists all publicly reported incidents by type, time frame and outcome. Although I suspect it only includes a fraction of total incidents, not least because many are never reported, it is an excellent source of information to demonstrate how particular vulnerability types have been exploited in the real world. If nothing else it should help the security professional to explain why a vulnerability has a particular threat level and why it needs to be fixed.
Wednesday, September 23, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment