Action without planning is the reason for every failure. Those words from success expert Brian Tracy ring true in so many of the Web security assessment projects I've both witnessed and been involved in.
Time management experts say that one minute of planning saves us five minutes in execution. That's a 500% return on our time. This sounds too good to be true, but it's not. I'll give an example of this practice in action in this tip. Then, I'll lay out 10 best practices for successfully assessing applications' Web security.
A software project leader just told me a related story, in which she detailed how much time she and her team spend on planning IT and security-related projects before they ever do a thing. She said this planning not only helps get management buy-in and helps set everyone's expectations going in, but it also really makes a positive difference in the outcome of their projects. This thoughtful planning showed in their security assessment results.
If you're truly willing to fight the urge for instant gratification and instead put the time in up front to plan things out, it's virtually guaranteed that your Web security assessment projects will run smoothly, uncover the things that matter, and finish on schedule to boot.
Whether you'll be doing the testing on your own or hiring an outside expert, you must diligently plan things out and get all the right people on the same page. Here are 10 best practices for planning Web security assessment project. I've learned over the years that you can't afford to skip these steps.
- Who is this project going to affect (before, during, and after) and can we get them in on the planning phase? Many people such as developers, marketing, and DBAs are often overlooked but need to be included.
- What compliance-related laws and regulations are applicable here? Are we overlooking any requirements in that area? PCI DSS is the obvious one here but there are many others including HIPAA, GLBA, and even SOX.
- Are we going to look at the system as an untrusted outsider, a trusted user, or both? Management may trust users of the system which is a dangerous way of doing business. Even worse are the vulnerabilities a trusted user could exploit you may overlook by not doing authenticated testing.
- Will a simple vulnerability scan suffice (i.e. for PCI DSS compliance) or do we also need to perform an in-depth manual analysis to uncover the "other half" of the vulnerabilities that scanners won't find? To me including manual analysis using a malicious mindset is the only way to do it – if you want to do it right. Is it going to be okay to let vulnerability scanners submit forms which could create database entries and potentially thousands of emails to multiple people? This is a side-effect that's often discovered once it's too late. It's good to know going in so you can create preventative measures to block such data and emails or at least set expections. When can the automated scanning be done? Commercial vulnerability scanner tools – when used properly – can be tweaked to minimize the impact on your Internet connection and server environment. How often are status updates going to be given? I've found it to be not only the courteous thing to do but also an important part of keeping people in the loop in these often complex projects. Will an initial findings report be delivered to the key players before the final draft report is created? If so, when? Just be patient and try to hold off requesting a bulleted draft report with few details, screenshots, or specific URLs affected. This usually just serves to generate more questions and create more work for everyone involved.
- Is everything in writing? For internal-sourced projects, at least have a documented plan. For outsourced projects, statement of work and signed contract needs to be in place without exception.
- What's the exit strategy? In other words, what's going to happen once the assessment is complete and the report is delivered? This is where many projects fail. It is one thing to find the flaws and then deliver the report but quite another to actually act upon them to ensure the money and effort spent doesn't go to waste.
The hard part of all this is carving out the time up front before getting rolling with your Web security assessment projects. Management support is certainly a key component but it really comes down to self-discipline, as Elbert Hubbard once defined as "the ability to make yourself do what you should do, when you should do it, whether you feel like it or not."
It's the little things that add up. Pay attention to these project details and any others specific to your business and you'll certainly come out on top.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years experience in the industry and specializes in performing independent information security assessments revolving around compliance and information risk management. Kevin has authored/co-authored seven books on information security including the ethical hacking books, Hacking for Dummies and Hacking Wireless Networks for Dummies (Wiley). He's also the creator of the Security On Wheels IT security audio books.