Posts

Showing posts from June, 2012

A stitch in time....

Image
Our Traditional approach to penetration testing, even large scale global penetration testing is to perform an annual/bi-annual pen test on our web applications. Question is who said once a year is enough? Most applications undergo at least quarterly updates and changes if not to provide value for customers but to ensure the web applications are fresh and to address any (hopefully) minor bugs. Cyber attackers can perform a continuous scan on your site to detect changes (code drops) and probe such changes to assess if any vulnerability has been introduced. Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability. The main reasons for a one-off test per year are simply economics: Testing takes resources Resources cost money Resources are scarce Push to deploy is stronger than push to secure Organisations feel they may be l