A core principle of successful business ventures is planning ahead. It is something we have all learned the hard way and the adage is so true: if you fail to plan, you plan to fail. Like many aspects of business, planning your web application security testing in advance, can have enormous payoffs.
It may seem boring, but planning ahead can save you a lot of time and effort and even some embarrassment. Let's take a look at the areas you need to be thinking about before you fire up your next web vulnerability scan. The basic building blocks for successful web security assessments are:
Your goals are specific places where you want to end up. One of your goals might be to improve the security of your web applications so the business stops getting negative audit and compliance reports, or for some to stop having malicious intrusions and hack attacks.
Your objectives are sub-goals that you must meet in order to achieve your longer-term goals. One of your objectives might to be to establish a periodic web application security testing plan for the next year, for example every month or every quarter or any time code changes are made to your business web applications.
Next is your strategy which dictates how you are going to approach your web application security testing. Your strategy might include in-house or external testing resources, the tools you will use such as a web vulnerability scanner, and which websites and web applications you will test.
Finally, your methodologies, which are sub-strategies, will outline the specific steps you will need to take to execute your web application security tests. An example of a methodology can be something as generic as the ethical hacking methodology of reconnaissance, enumeration, vulnerability detection, and vulnerability exploitation. A methodology could also be something more specific like unauthenticated vs. authenticated web vulnerability scanning.
Experience is always the best teacher so learn from others and be mindful that it is very easy to under-scope your web application security testing. Make sure you are looking at all the right web systems. You do not have to test everything at once but you do need to test everything that is critical to the business in the short-term. A longer-term goal would be to look at all web systems, eventually. One oversight in this area can have pretty serious business consequences such as a critical application that goes untested, or is assumed to be secure because a cloud provider or other third party says so, or a high priority vulnerability such as SQL injection that goes undetected.
If you get the right people on board such as developers, product managers, and higher-level IT and business executives, you will be able to develop a program around these areas of web application security testing. The important thing is to never go at it alone.
Perhaps more important than anything else is to not forget the basis of all your work: business risk. If you can understand the way the threats work to exploit vulnerabilities which, in turn, create business risks you will have a target to stay fixated on. That will help your business – and your web application security testing program – more than anything else.
Ultimately, the value of your web application security testing won't reach its full potential unless you approach your work in terms of the business. Get – and keep – the right people on board, use the right tools, fine-tune your testing time after time, and you will create an environment where the proper web security risks are minimized and you get the credit you deserve for your efforts.