informa
/
Commentary

4 Penetration Testing Tips: Interop Preview

Jumpstart your enterprise security testing efforts with this advice from Interop speaker David Rhoades of Maven Security Consulting.
Eavesdropping On A New Level
Eavesdropping On A New Level
(Click image for larger view and slideshow.)

You know those four out of five dentists who recommend a certain kind of chewing gum to prevent cavities? They also recommend penetration testing for your enterprise. Well, sort of. Somewhat like your friendly dentist, Steven Pinkham and David Rhoades of Maven Security Consulting say that the first line of defense is what your company can easily do to protect itself, before hiring firms like theirs. Maven Security will be coaching companies in security testing at a session during Interop New York.

Why should you do your own penetration testing when Maven or someone else could do it for you?  Rhoades likens learning to do your own pen testing to brushing your teeth and flossing. "Even after you brush your teeth and floss you still have to go to the dentist," Rhoades said, "because he has that external view and expertise that you don't have."

But he also points out that if you aren't going to do any testing yourself first, then you're wasting your time and theirs. Having an in-house pen testing capability is important to get the low-hanging fruit. If you don't do that, then his team or whoever you hire will never get to the most serious of your problems. "The best reason to take an [Interop] session like [ours] is to become a better 'patient'," Rhoades said. "Every doctor wants a patient that eats well and doesn't smoke. If you don't do that, what we do won't work. We don't sell silver bullets."

[Going to Interop? Be sure to attend Maven Security Consulting's Hands-On Web Application Penetration Testing on Sept. 29, the first day of the show.]

The session addresses two of the most serious problems facing your organization today -- cross-site scripting and SQL injection. It will provide a virtual environment called the Web Security Dojo, that includes your own targets to practice on, and even after you leave the event you can continue to use Web Security Dojo to practice your skills. "When the class is over, the class ain't over," stressed Rhoades.

security_testing.jpg

It is hard to imagine a more important topic at Interop New York. The cost of breaches is rising in the US every year. According to a study by Ponemon and Symantec, the cost of a breach in the US can be as high as $199 per record lost. Considering that the number of records lost in breaches is going up, it adds up quickly. Just ask Target, which lost 3% to 4% of its transactions last Christmas because of a breach.

So, how can you be a better security "patient" so Maven or another security firm can help? According to Rhoades:

  • When developing new applications, consider security requirements first. "Don't bolt it on later."
  • Test as you go. "Don't wait until right before you go live to test. That's too late."
  • Someone has to drive security. Whether it is a CISO or a CTO or someone else, there has to be someone willing to make it a priority.
  • Get the easy stuff before any outside folks come in. "I swear, sometimes I feel like if I see another cross-scripting error, I'm just going to fire that client."

Rhoades said almost anyone in a company could take away something valuable from the Maven Interop session. "We're looking more for attitude than title. Honestly, an accountant could attend this and it could open their eyes. Their attention to detail might lend itself nicely to being able to do a repeatable, safe, security assessment." Of course, what they're really hoping for is developers and those in charge of lines of business. Anyone who can champion good security is welcome and necessary.

"We need more good people trained in the art of black-hat hacking," Rhoades said. "That's the only way we're going to stop the attacks."

In its ninth year, Interop New York (Sept. 29 to Oct. 3) is the premier event for the Northeast IT market. Strongly represented vertical industries include financial services, government, and education. Join more than 5,000 attendees to learn about IT leadership, cloud, collaboration, infrastructure, mobility, risk management and security, and SDN, as well as explore 125 exhibitors' offerings. Register with Discount Code MPIWK to save $200 off Total Access & Conference Passes.