download issue 27 here - Help Net Security
download issue 27 here - Help Net Security
download issue 27 here - Help Net Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
the liability for their security risk via contract to<br />
the provider. This does not make the security<br />
<strong>issue</strong>s go away, merely transfers the ownership<br />
of the problem.<br />
Although, it is conceivable that the use of the<br />
cloud will take some organizationsʼ security<br />
posture to a higher level than the one they are<br />
currently unable to achieve. Media pressure<br />
will also make consumers demand that security<br />
is addressed when adopting the cloud.<br />
Prospective adopters of cloud services should<br />
also take great care when investigating security<br />
guarantees and claims made by service<br />
providers.<br />
However, even with the emergence of the<br />
cloud, it should be noted that the types of security<br />
threats facing ICT remain similar and<br />
that the control measures needed to address<br />
such threats have not changed significantly. A<br />
common requirement - regardless of the technology<br />
delivery mechanism - is security<br />
testing.<br />
SECURITY TESTING IS A POPULAR,<br />
BUT OFTEN MISUNDERSTOOD CONCEPT<br />
<strong>Security</strong> testing, trial and error?<br />
<strong>Security</strong> testing is a popular, but often<br />
misunderstood concept.<br />
At its most basic level, security testing is<br />
aimed at identifying security vulnerabilities and<br />
weaknesses in software and systems, in order<br />
to fix them before they can get exploited. Wellpublicized<br />
examples include SQL injection and<br />
buffer overflow flaws. Itʼs important to recognize<br />
that security vulnerabilities are not necessarily<br />
the product of poorly designed or<br />
coded systems. Many security vulnerabilities<br />
are the result of configuration errors in hardware<br />
and software, caused by human error<br />
during implementation or upgrade.<br />
A good security testing strategy is an essential<br />
element of any security risk management<br />
plan, especially for mitigating minor human<br />
errors that can snowball into serious breaches<br />
if not identified early on. A strategy for testing<br />
and verifying all aspects of hardware and<br />
software integration is a ʻmust haveʼ for any<br />
system implementation or software development<br />
project. It is also essential that such<br />
strategies broadly approach the matter of security,<br />
rather than focusing on specific 'high<br />
risk' areas such as authentication and access<br />
management. This ensures the identification<br />
of unexpected problems, as well as of those<br />
anticipated.<br />
A common, cost efficient approach has been<br />
to develop and implement business systems<br />
first, and then follow up with a short black box<br />
penetration test to see if the system can be<br />
penetrated. However, this leaves systems<br />
wide open to attack because other areas are<br />
neglected.<br />
This problem can be solved by raising awareness<br />
of the fact that t<strong>here</strong> are other security<br />
tests out t<strong>here</strong>, and that a more consolidated,<br />
comprehensive approach to security testing<br />
across all the components of todayʼs business<br />
systems is needed.<br />
It simply makes sense to start testing as early<br />
as possible in order to avoid potentially critical<br />
vulnerabilities sneaking into mission critical<br />
systems. Advances in technology make it so<br />
much easier for security testing to be integrated<br />
alongside traditional testing programs -<br />
automated tools for source code analysis and<br />
simulation of web-based application-level attacks<br />
enable the discovery of security <strong>issue</strong>s<br />
before the production phase. However, automated<br />
tools have their downsides (e.g. false<br />
positives) and should always be complemented<br />
with manual testing.<br />
HPʼs and IBMʼs drive to acquire security testing<br />
technology should be seen as a proof of<br />
the increased importance and awareness of<br />
the need for broader security testing efforts.<br />
www.insecuremag.com 35