In reading one of Brian Tracy’s books, Brian discusses a story of Albert Einstein and an exam he gave to his graduate physics class at Princeton University. After the exam, Dr. Einstein was approached by a student who asked: “Dr. Einstein, wasn’t that the same exam that you gave to this physics class last year?” Dr. Einstein replied “Yes, it was the same exam as last year.” The student then asked “But Dr. Einstein, how could you give the same test two years in a row?” Dr. Einstein replied “Because, in the last year, the answers have changed.”
This story illustrates the complexities around web application security: how much it changes, how complex it can be, and, most certainly, how no one has all the answers.
I’ve been fortunate to have the opportunity to test the security of many websites and web applications over the past decade. It’s what I love doing the most in my work because every new site/application is a new experience. Of course, some of the security flaws are the same across the board but every new project brings unique challenges. The enormity of the matter is very humbling.
The things that defined web application security flaws (and fixes) last year may not be true this year. The answers are continually changing. Given these factors, I wanted to share with you some of my recent experiences and ideas on how you can get a better grip on this ever-changing target:
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”