We all make mistakes, it's in human nature. In Information Technology, there are numerous mistakes, oversights, and blunders that are repeated consistently day after day. But given what there is to lose when it comes to web application security, why not learn from the mistakes of others so you don't get burned?
Here are the top 10 mistakes, all based on assumptions, that you need to be aware of when seeking out the real business risks in your web vulnerability assessments:
1. Assuming everyone is on board with what you're doing, i.e. the web application security audit. Many people, including key players such as developers and compliance managers are often out of the loop on vulnerability assessments. Getting all the right people involved, in advance, will help ensure smooth testing and project success.
2. Not dedicating the same amount of resources for all web applications. Focusing on the critical web applications is good but you eventually need to find and fix all the web security vulnerabilities that can cause problems. This includes seemingly harmless marketing websites, content management systems, intranet and portals, and the web interfaces for your network devices. Remember that a malicious user only needs to find 1 exploitable vulnerability for his malicious attack to succeed.
3. Assuming you've properly tested from all angles. Think outside the box. You need to test your web applications both without and with user authentication, from in front of and behind the firewall or WAF, IPS controls, etc. to ensure that all web application vulnerabilities have been uncovered.
4. Using complex tools without knowing how they operate. Most of the tools used nowadays, like a web application vulnerability scanner automate most of the tasks for you and make the process of identifying vulnerabilities quite easy. Though there might be other tools that are quite complicated to use and only seasoned experts are able to fully exploit their capabilities. Therefore always make sure that you know your tools inside out and what repercussions they might have when used.
5. Assuming that just because a vulnerability wasn't uncovered, it doesn't exist. As with human diseases, there is always a chance that something is lurking undetected in your web environment. Be careful so you don't get caught off guard with a false sense of security. Take every necessary step to ensure all web application vulnerabilities are identified.
6. Relying on third parties for the security of your web applications. This is especially dangerous, in the context of cloud services and hosting providers etc. Regardless of the situation, make sure you fully understand how these web systems are being tested and secured and never take anything for granted. If need be make your own research and ask around for more information before subscribing to a cloud service or use a hosted service.
7. Expect a fix for reported vulnerabilities without following up. Developers may not even hear about the problem because management won't tell them about the vulnerabilities you identified. If they do, they could have their own set of priorities that keeps them from addressing the security issues that matter to you. So in such cases always liaise and follow up with the responsible contact to ensure all reported vulnerabilities have been remediated.
8. Assuming that your developers will learn from their mistakes and not repeat the same coding problems again in the future. Unless developers really understand what the issue is, and the business invests in training them to write secure code, you will keep on identifying the same vulnerabilities in newly developed web applications.
9. Assuming that a "secure" web application is a "compliant" web application and vice versa. This is reason enough to get your auditors and compliance managers involved to ensure that risks are known and business assets are being properly protected.
10. Expect management to understand your findings and continue support of your web vulnerability testing program. Simply uncovering web application vulnerabilities isn't necessarily going to create a sense of urgency for others. You need to make it known what's at stake, for example by showing what a malicious attacker can gain when exploiting a detected vulnerability.
Don't ignore these issues and repeat the mistakes of others if you would like to ensure that your web applications are secure and not end up hacked. As long as you understand this and realize that you must remain vigilant with your vulnerability detection programs and never let your guard down, you'll be well ahead of the curve.