4 Penetration Testing Tips: Interop Preview - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // Enterprise Agility
Commentary
9/23/2014
09:26 AM
David Wagner
David Wagner
Commentary
Connect Directly
Twitter
RSS
100%
0%

4 Penetration Testing Tips: Interop Preview

Jumpstart your enterprise security testing efforts with this advice from Interop speaker David Rhoades of Maven Security Consulting.

Eavesdropping On A New Level
Eavesdropping On A New Level
(Click image for larger view and slideshow.)

You know those four out of five dentists who recommend a certain kind of chewing gum to prevent cavities? They also recommend penetration testing for your enterprise. Well, sort of. Somewhat like your friendly dentist, Steven Pinkham and David Rhoades of Maven Security Consulting say that the first line of defense is what your company can easily do to protect itself, before hiring firms like theirs. Maven Security will be coaching companies in security testing at a session during Interop New York.

Why should you do your own penetration testing when Maven or someone else could do it for you?  Rhoades likens learning to do your own pen testing to brushing your teeth and flossing. "Even after you brush your teeth and floss you still have to go to the dentist," Rhoades said, "because he has that external view and expertise that you don't have."

But he also points out that if you aren't going to do any testing yourself first, then you're wasting your time and theirs. Having an in-house pen testing capability is important to get the low-hanging fruit. If you don't do that, then his team or whoever you hire will never get to the most serious of your problems. "The best reason to take an [Interop] session like [ours] is to become a better 'patient'," Rhoades said. "Every doctor wants a patient that eats well and doesn't smoke. If you don't do that, what we do won't work. We don't sell silver bullets."

[Going to Interop? Be sure to attend Maven Security Consulting's Hands-On Web Application Penetration Testing on Sept. 29, the first day of the show.]

The session addresses two of the most serious problems facing your organization today -- cross-site scripting and SQL injection. It will provide a virtual environment called the Web Security Dojo, that includes your own targets to practice on, and even after you leave the event you can continue to use Web Security Dojo to practice your skills. "When the class is over, the class ain't over," stressed Rhoades.

It is hard to imagine a more important topic at Interop New York. The cost of breaches is rising in the US every year. According to a study by Ponemon and Symantec, the cost of a breach in the US can be as high as $199 per record lost. Considering that the number of records lost in breaches is going up, it adds up quickly. Just ask Target, which lost 3% to 4% of its transactions last Christmas because of a breach.

So, how can you be a better security "patient" so Maven or another security firm can help? According to Rhoades:

  • When developing new applications, consider security requirements first. "Don't bolt it on later."
  • Test as you go. "Don't wait until right before you go live to test. That's too late."
  • Someone has to drive security. Whether it is a CISO or a CTO or someone else, there has to be someone willing to make it a priority.
  • Get the easy stuff before any outside folks come in. "I swear, sometimes I feel like if I see another cross-scripting error, I'm just going to fire that client."

Rhoades said almost anyone in a company could take away something valuable from the Maven Interop session. "We're looking more for attitude than title. Honestly, an accountant could attend this and it could open their eyes. Their attention to detail might lend itself nicely to being able to do a repeatable, safe, security assessment." Of course, what they're really hoping for is developers and those in charge of lines of business. Anyone who can champion good security is welcome and necessary.

"We need more good people trained in the art of black-hat hacking," Rhoades said. "That's the only way we're going to stop the attacks."

In its ninth year, Interop New York (Sept. 29 to Oct. 3) is the premier event for the Northeast IT market. Strongly represented vertical industries include financial services, government, and education. Join more than 5,000 attendees to learn about IT leadership, cloud, collaboration, infrastructure, mobility, risk management and security, and SDN, as well as explore 125 exhibitors' offerings. Register with Discount Code MPIWK to save $200 off Total Access & Conference Passes.

David has been writing on business and technology for over 10 years and was most recently Managing Editor at Enterpriseefficiency.com. Before that he was an Assistant Editor at MIT Sloan Management Review, where he covered a wide range of business topics including IT, ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
9/23/2014 | 11:47:34 AM
Brushing & Flossing
I love the dentist analogy here. So much about risk management and security is taking care of daily basics. You gotta brush and floss if you want to avoid a lot of pain later at the dentist. And frankly, it's refreshing to hear a security company say they don't have silver bullets. No one does, but that's not a message you hear very often in the market.
David Wagner
100%
0%
David Wagner,
User Rank: Strategist
9/23/2014 | 12:12:50 PM
Re: Brushing & Flossing
@Drew- The analogy is all from David Rhoades. He's really great at giving you a reason for everything he does. He should be a great speaker at Interop this year.
Ashu001
100%
0%
Ashu001,
User Rank: Ninja
9/23/2014 | 1:14:17 PM
Re: Brushing & Flossing
David,

The Analogy was most Apt.

I am sure David will be a superb Speaker at Interop.

These are a lot of very basic but also very useful tools that unfortunately most Organizations miss.

The reason is that Security Teams are not Embedded within Development Teams from the Beggining.

If they were,Development would (initially) be a very slow and cumbersome process but then you would save a whole lot of Pain and Agony in The Long-Run.

The Other thing is about the fact that most Development Cycles have gotten way too fast today and these Teams can't tolerate obstacles from anyone Let alone Security.

So unless we see a top-down order(embedding Security compulsarily in place);nothing much will change.

Regards

Ashish.
David Wagner
100%
0%
David Wagner,
User Rank: Strategist
9/23/2014 | 1:17:10 PM
Re: Brushing & Flossing
@ashu001- David would definitely agree with you that you need someone driving this. I wonder about the idea of security taking too long in the development cycle though. i wonder if that is because we just aren't doing it. It takes longer at first to do a lot of things and then we practice them and they get faster.
Ashu001
100%
0%
Ashu001,
User Rank: Ninja
9/23/2014 | 1:20:41 PM
Re: Brushing & Flossing
David,

PRECISELY!

You Nailed it perfectly here.

This is the Single most important reason why it takes longer than it should in Development Cycles.

The Notion about SDLC is something which needs to kick in Bigtime rather than just as a fancy buzzword(which has unfortunately become today).

Regards

Ashish.
zerox203
100%
0%
zerox203,
User Rank: Ninja
9/24/2014 | 12:48:00 AM
Re: 4 Penetration Testing Tips
I'll second that the dentist/doctor analogy is a perfect one. After all, if you're only looking to do the bare minimum, you might as well do it yourself, and save your money on the 3rd party firm (This part extends to the dentist analogy as well)! When you call in the dentist, you're looking for two things - routine, necessary care that you can't do yourself at home (penetration testing and things that required specialized analysis/horsepower), and specific issues that may have slipped through the cracks. sometimes the latter will include seemingly obvious stuff, and that's okay - just make sure you've done your due diligence first.

I do think that faster dev cycles and generally faster-paced business culture have a lot to do with these breaches and gaps in security. There are probably a lot of best practices that could improve how we work security into agile development (etc.) from the get-go, but it seems unlikely that we can ever reach old levels of deligence. After all, the whole idea of speeding up dev cycles and slashing red tape is that we were doing too much, right? And after all, there's some fairness to that. 3-4% for a company like target is huge, but is it really that much more than adding 10% or 20% to their dev time? Depends on your perspective.
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
9/24/2014 | 1:40:15 PM
Re: Brushing & Flossing
I think there is also a bit of stigma for developers to ask or allow the security teams to pen test their applications for fear that there might be a significant hole that requires revisions to the application, resulting in longer development cycles, especially if they have to go back and revise the design to fix these flaws.  Having security as part of the development cycle in earlier stages would definitely help in many cases.
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
10/7/2014 | 12:44:20 PM
Re: Brushing & Flossing
David,

Yes that probably explains why Security in SDLC slows things down so much today.

Its very much a chicken and Egg situation currently.

Because we don't do enough of it we don't have enough trained folks and because there are'nt enough Trained folks out there.Software Development Teams are reluctant to go the whole Hog and embed Security in Lifecycles of Software designed today.

Somebody has to take the first step.Else nothing changes.

Regards

Ashish.
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
10/7/2014 | 12:46:41 PM
Re: Brushing & Flossing
Stratustican.

If you go about the whole process honestly,Openly and Transparently and show them the Big Picture I see no real reason why Developers would be resistant to the whole process(or against it).

After all,they also want to deliver the Best Products out there-Don't they?

Its beyond essential that we implement and embed Security in SDLCs today.
News
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Commentary
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
Slideshows
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Slideshows
Flash Poll