• Why I love testing Web applications

    05 Sep 2007

    I get the question “What part of security do you like the best?” quite often. The first part of my response is always “security testing”. Any given network has lots of weaknesses – regardless of how much it’s locked down and I love trying to find and point out all the flaws. [My wife used to say I was really good at pointing out other flaws, but I’ve since worked past that personality quirk. It is an interesting tie-in though. ;-)]

    The second part of my response to this question is “Web applications!”. I’ve seen – and still do see – a lot of vulnerabilities across a lot of operating systems, wireless networks, and network infrastructure devices earning a living performing security assessments. The thing is that most of these vulnerabilities are pretty predictable. Missing patches here – missing passwords there – unhardened systems everywhere. Beyond these basics, as of late I’m really growing to enjoy performing Web application assessments. Here’s why:
    1. They’re all different
    2. They’re ever changing
    3. They can be extremely complex (read: more chances for security problems)
    4. There are no real standards for locking them down like there are for operating systems, wireless, etc. because they’re all so unique
    5. There’s no way that all developers are going to think to secure everything
    6. Much to the chagrin of executives and even certain developers, no firewall in the world is going to protect against poor application logic!
    7. There are a lot of great Web application scanners including some free ones to help take the pain out of the testing process. [Web vulnerability scanners won’t find everything though! They’re only about 50% of the equation. Human context and reasoning picks up where they leave off.]
    The bottom line is that Web applications are almost always riddled with security problems that someone, somewhere didn’t think about along the way. So, if you’re wanting to know what area of security to focus on over the next…oh, decade, you can’t go wrong with Web applications. They’re here to stay and they’re out there full of holes waiting to be found and plugged.

Resources

view all

Client Testimonials

“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.

His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”

(IT managed services firm)
Read More

 

I’ve written/co-written 12 books on information security including:

 

Tags

application security appsec basics books careers censorship CISO CISSP cities compliance coronavirus covid-19 cybersecurity data breaches hacking Hacking For Dummies heads in sand health incident response information risk keynote speaker leadership macOS networked cameras passwords patching racing resilience Russian hacking SDLC security culture security leadership security program management security speaker selling security social engineering speaking engagements spec miata sql injection tiktok time management training vulnerability and penetration testing web security

© Copyright 2001-present, Principle Logic, LLC - All Rights Reserved.

For your convenience I accept