Application Security - An Inside Story - TCS
Application Security - An Inside Story - TCS
Application Security - An Inside Story - TCS
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
SCR does reveal a lot more issues but these are<br />
actually multiple instances of the same issue. False<br />
positives are less but do vary across tools used. Av.<br />
Assessment period is less but does require more<br />
manual intervention and substantial expertise in a<br />
particular programming language.<br />
n<br />
n<br />
n<br />
A6-10 critical issues per app out of a total of<br />
35-40 issues<br />
False positives are about 20%-70% on a<br />
range of tools<br />
Avg. assessment period is 2-4 days<br />
The issues in the mode scanning are more or less<br />
same. However some typical issues are not<br />
reported as they can only be exposed in active<br />
(dynamic) mode of scan. There is not any magic<br />
formula to decide as if this precede or succeed a<br />
black-box scan and is usually decided best by a<br />
security analyst.<br />
n<br />
n<br />
XSS & Injection also dominate the issues<br />
found<br />
Issues pertaining to URL manipulation<br />
session are difficult to find(by tools)<br />
The Buzz and the Hoopla!<br />
The buzz and hoopla is created by some high-profile<br />
security incidents with best known enterprises. The<br />
Every organization wanted to scan all their<br />
incidents, if not anything else, have come as a major<br />
applications in the first month itself! Every<br />
advert for the security industry or vendors<br />
major security incident would create this<br />
providing security solutions. All leading research<br />
frenzy. Unfortunately security incidents<br />
analyst firms have predicted increased spending<br />
involving major organizations are on the rise!<br />
and increased focus on security, more so on<br />
application security. However it remains to be seen if<br />
the buzz can withstand the stark reality of how enterprises function and operate with respect to security.<br />
Apparently the security breaches hurt the enterprises severely at different levels. It cripples their finance<br />
and puts a question mark against their brand value. It’s not easy to defend a security attack nor is it any<br />
easier to recover from one. <strong>Security</strong> incidents are often around poor ‘best practices’ and a laxity in terms<br />
responsibility and accountability. Hardening your firewalls, servers and applications post to an attack is<br />
like bolting the gate after the horse has left.<br />
Let’s look at some interesting case studies from our own experience of dealing with such incidents.<br />
Incident 1: Site defaced. Hacker had left behind a message!<br />
Post-incident paranoia: Attempt to back up the site is unsuccessful, important forensic imprints are<br />
compromised in the process, logs have not got the whole story; finally handed over to cyber crime<br />
investigators, all breached instances are seized for further investigation. Our security team was contacted<br />
to help!<br />
12