Last week an article appeared in CIO, An Introduction to the Murky Science of Web Application Security, where none other than Simson Garfinkel interviewed yours truly. Simson is a notable name in the information security arena, with a reputation for being VERY direct with vendors, authored the first book I ever read on web security, and most importantly really knows his technology. Oh, did I mention that he admits he’s never been of fan penetration testing? Going in I knew I had my work cut out for me, but was excited by our first meeting and didn’t know quite what to expect.
What you might find interesting about the article are the descriptions of the types of vulnerabilities we routinely identify and the odd situations we encounter when doing so. For example when vulnerabilities spontaneously open and close from scan to scan or when they reopen months later for no apparent reason. Overall Simson did a really good job highlighting the more important aspects of the field in an easy to understand way that CIOs can digest. Then this quote really made my day:
"I’ve never been a big fan of penetration testing, but the two hours that I spent talking with Grossman convinced me that it’s a necessary part of today’s e-commerce websites. Yes, it would be nice to eliminate these well-known bugs with better coding practices. But we live in the real world. It’s better to look for the bugs and fix them than to simply cross your fingers and hope that they aren’t there."