Tuesday, January 30, 2007

The difference between Security Assessments and Penetration Tests

Update 02/02/2007: The Mike Rothman (Pragmatic CSO) posted a simple way to explain the differences and also provides further insights. "Assessments give you an idea about all the POTENTIAL holes. Pen tests prove whether the holes are in fact actionable."

Security Assessments
and Penetration Tests are infosec industry terms commonly and erroneously used interchangeably. This causes confusion for business owners who are trying to figure out what solution they need to protect their Web businesses. For starters, security assessments are thorough evaluations of a website to validate security posture and/or detect ALL the possible weaknesses. Penetration tests simulate a controlled (internal/external) bad guy website break-in with the goal of achieving a certain level of system/data access. Both methods are acceptable and add a lot of benefit if implemented properly and at the right time.

Security Assessments
There are number of methodologies for performing website security assessments including black box vulnerability assessments, source code reviews, threat modeling, configuration audits, etc. and some engagements may use combinations. Security assessments are invaluable for understanding what you own and the current security posture. This information is helpful in making educated decisions and applying the appropriate resources that’ll make the most meaningful impact.

Penetration Tests
A pen-test team’s job is to break into a website, using whatever parameters they’ve been given, and gain access to the designated data they shouldn’t be able to obtain. They’ll exploit whatever vulnerabilities they need, but they’re NOT responsible for finding all the issues. The benefit is understanding how resilient your website is to determined attackers. At the end you should have interesting results and purpose built exploit code examples that tell a compelling story.

The trick to choosing between the two is really understanding your business needs, requirements, and the value of what your’re protecting. If there is any resource to help you do that, it’s Pragmatic CSO. For those new to web application security, assessments are the way to go. Statistically most websites are known to be insecure so a pen-test isn’t going to be of much value at the start and you’d be better served by something more comprehensive. The second trick is properly setting the scope between you and the vendor which may include IP ranges, hostnames, level of testing depth, time frame, frequency, costs, reporting, solutions, re-testing, etc.

The rate of web application code change remains unrelenting and still only a relatively small percentage of websites are in fact professionally tested for security. As anyone can imagine this drastically increases the likelihood of security vulnerabilities and eventually leads to compromise. Good news for criminals, bad news for customers and website owners. Thankfully there’s been a marked improvement of widely disseminated knowledge and a larger awareness of web application security issues. Web application security is no longer a dark and mysterious art only known to a select few insiders. Novices, with no more skill beyond they’re web browser, now easily master powerful tricks-of-the trade from readily available books and whitepapers.

Two things that stand out in my mind:

1) Security assessment methodology has increased from a few thousands unique tests to tens-of-thousands on the average website.
2) The technical skills required to perform a good security assessment has actually increased rather than diminished!

Conclusion: Experience Counts
To comprehensively assess the security of a website, a tester must be adept at the known 24 classes of attack (WASC Threat Classification). Additionally, they need to be comfortable in applying potentially hundreds of attack combinations described in scattered books and research papers. This type of expertise is developed over time while exposed to hundreds of assessments and practicing exploiting real-world websites. You want someone understands your business and provide value in those terms.

Qualified security testers need the necessary skills to recommend appropriate solutions in a variety of given situations. Every website’s security requirements are different and the particular circumstances must be taken into consideration. Identical vulnerabilities may be resolved in any number of acceptable ways. The testers job is to find the right combination of solutions to effectively mitigate risk. Otherwise you may end up with a time consuming and expensive false sense of security.

The best testers are familiar with a few operating systems (Unix variants, Windows), several programming languages (Java, C, Perl, ASP, PHP, C#, HTML, JavaScript), a couple web servers (Apache/Microsoft IIS/iPlanet), some application servers (ASP.NET, J2EE, ColdFusion, WebSphere, etc.), and a handful of databases (MySQL, Oracle, Access, SQLServer). In web application security, experience counts and it’s become essential to work in teams.

No comments: