|
Application Auditing and Ethical Hacking How likely is it that someone would try to hack into your company data? It's been estimated that 95% of companies experience breach attempts. We believe that estimate is low. We understand the need for code reviews and security testing because many of our applications manipulate data that must be kept secure. To our select clients, we offer code auditing and penetration testing to help implement comprehensive security programs to protect private data. Background Web applications are usually written by well-meaning, competent developers who are often faced with unrealistic deadlines, too many tasks, too little help and multiple bosses giving them mixed signals about what matters most. The result: Applications that may run just fine, have almost no concern about the security of the data those applications control. When software is created there should be a team called QA, and one of their roles should include security analysis. The reality is that most non-IT companies have software created and assign "testers" in place of a QA group. This happens as a result of too much trust in the development group, with an ample dose of ignorance. Even when QA teams are formed, security takes a back seat for reasons like
When Microsoft releases an operating system, it's packed with *known* security holes. The Code Red worm that exploited a buffer overrun in a Microsoft's IIS service to gain control of the web servers infected some 300,000 servers. (and by the way, the infections only stopped because the worm was deliberately written to stop spreading!) So if you've ever written any software, we're confident you too released code that wasn't fully secure. Sad but true, this is more the rule than the exception. The hardest attacks to prevent are those that exploit the logic of the application. Software is designed with assumptions that users behave in a specific, trustworthy manner, following a predetermined path: Login, then select region, then select customer file... It's rare when designers think about which users will be making changes to cookies or entering thousands of characters into a field that's supposed to be a zip code. Some Options You can protect your data using three methods -- using a combination is best, but you'll need to weigh this expense against the cost of a breach.
1. Use automated security tools What are the first two steps? 1. Create a Budget for Security The only way to find a solution to any business problem is to first create a budget. In most cases, development and QA teams do not have the tools or resources to prevent new vulnerabilities, let alone begin to address old ones. 2. Establish a Security Development Team Core developers usually don't have the time, desire and sometimes lack the expertise to fix security flaws. This secondary team should have a dotted line connection to top management to ensure problems are properly documented so decision-makers know their options. Application security threats are real and failure to address this will result in real risk if your company stores confidential data. While the problem is serious, it is something that can be fixed so long as proper attention and budget are allocated to it. Note: Security services are not available to short-term clients.
What to do if you're hacked?
|
||||||
|
|||||||
 |
|||||||
busy doing other more visible tests
