Security Testing is a business essential

By Sai Chintala- Sr. VP- Senior Vice President, Enterprise Solutions, Cigniti Technologies

As enterprises leverage the convergence of cloud, mobility, social computing and web applications, one area that concerns everyone is application and data security. Security of the applications, Privacy of the data, Confidentiality of the information published and subscribed are the three important considerations for a secure business environment.
A research report from Gartner states that by 2016, 40 percent of Enterprises will mandate independent security testing as a precondition for using any type of cloud service. It also states that Enterprises evaluate cloud services for their ability to resist security threats and attacks. Inspectors’ certifications will eventually become a viable alternative to or complement third-party testing. Instead of requesting a third-party security testing on the enterprise’s behalf, the enterprise will be satisfied by a cloud provider’s certificate stating that a reputable third-party security vendor has already tested its applications.

Just as the world is recovering from the devastating HeartBleed bug, last month the Wall Street Journal reported that Institutional Shareholder Services (ISS) has taken “the unusual step of recommending that Target Corp. shareholders oust seven of the company’s 10 directors, citing the board’s failure to manage risk and protect the retailer from a massive data breach.”

Security testing is a process where the asset/IP of an organization is examined for weakness, loopholes and vulnerabilitieswhich can inadvertently disclose/divulge sensitive information, allow unauthorized access, impersonation etc which could lead to identity theft, financial losses and damaged brand reputation.
There are several automated tools that can be used for performing security testing. However these tools are often incapable of identifying semantic flaws. It is has been predicted that attacks in the future would be much more intelligent and aggressive.Automated scanners or toolsmay fail to detect unless human monitoring/intervention is in place.

Irrespective of the business type, many organizations are often targeted by hackers.Most of the attacks are successful due to lack of security awareness or due to the oversight of the administrator or employees. Nowadays, administrators depend on automated devices, but what they fail to understand is that these expensive devices also have false positives. There is also a possibility that the hacker’s activities might be picked up by the device but the admin may discard these as false positives.

It is recommended to adopttechnologies that can help mitigate risks and attacks. Some of the key technologies include Basic security implementations (WAF, IDS/IPS, SIEM), Incident and event management, Vulnerability and risk management and a Security Matrix.
Earlier it used to be a simple web application hosted on a server. Now with cloud hosting, multiple web applications are hosted and shared on same server. This scenarioposes a greater threat,even whenone of the applications hosted were vulnerable.

From a security point of view and according to OWASP the risk involved in cloud applications raises concerns such as:
Accountability: If there is a breach of data who would be responsible for it?
Assuming that one of the applications hosted on the shared cloud was vulnerable to SQL injection threat, enabling unauthorized access to the applications database (which is obviously in a shared environment), can compromise the whole server which comprises of multiple databases.

Regulatory Compliance:
Data that is perceived to be secure in one country may not be perceived as secure in another due to difference in regulatory laws across countries or regions. For e.g., European Union has very strict privacy laws, hence data stored in US may not comply with those EU laws

User Privacy and Secondary Usage of Data:
User data is often stored in cloud. Hence, when we browse, some secondary services may leveragethis data to their advantage, and compromise user privacy.

As Enterprises are becoming techno-savvy, the need of BYOD (Bring Your Own Device) has increased. BYOD brings numerous security threats such as data security, owner of IP on the device or the loss of devices. Hence, it is important to have a seamless and secure connectivity.

Over the time wireless communications have evolved from Bluetooth through 4G taking connectivity to the next level.Being an open standard protocol, Wi-Fiis more prone to threats & network vulnerabilities like sniffing, rogue Aps, PSK vulnerabilities and many more. Hence more care needs to be taken while setting up and granting access to wireless devices.

Insecure data storage:
The major risk plaguing mobile device security is insecure data storage. Not many are aware that the data stored on mobile devices isin clear text by default,and very few apps enforcedata encryption. In case of laptops we have software to encrypt the hard drives. However in mobile phones the only way to protect data is to have a screen lock in place. In the event of theft, the data can be extracted from the device by using forensic software.

Growing trends in Security:
More organizations now ask for VAPT reports for third party applications. Most enterprises now ask for a third party VAPT assessment report before implementing new cloud technologies or solutions. Nowadays it has become mandatory for cloud solution providers to provide third party VAPT reports as part of sales process.
Enterprises are preferring to engage security testing experts from independent software testing companies to get the following types of test performed: :
1. Dynamic Application Security Testing (DAST)
2. Static Application Security Testing (SAST)
3. Interactive Application Security Testing (IAST)

DAST is the most popular form of testing for application security and continues to be so. This approach proivdesa perspective of how an external attacker who doesn’t have access to code would try to compromise the application. Organisations are increasinglywilling to provide client side binary for testing and this is one of the reasons why SAST is being implemented and adopted rapidly.
Being a new approach,IAST is implemented by organisations that are sensitive towards security and are at a higher maturity level. IAST can be regarded as the hybrid model of SAST and DAST.