How do you handle your web application testing, vulnerability scans, test data and related security assessment reports? I’ve found that this is something that doesn’t get a lot of attention in web application security circles but is still impactful to the business. It’s actually kind of ironic that those of us working in IT and security often forget about what’s at stake if web vulnerability information were to fall into the wrong hands. I should know - I used to take it too lightly and many others still do.
The thing is, everything from passwords to SQL injection requests to hard-coded encryption keys – practically anything imaginable related to web security flaws – is contained in the following files, screenshots and reports:
- Web vulnerability scan files (the raw data such as .wvs files in Acunetix Web Vulnerability Scanner)
- Web vulnerability scanner reports (i.e. PDF and HTML files)
- Screenshots of exploits
- Proxy log files
- Username and password dictionaries
- Final web application testing reports containing specific findings and methods of exploitation
The risk is increased when all of this information is scattered about on multiple systems – especially once it makes its way to unencrypted laptops and data backups, third-party email systems and under-protected mobile devices (and trust me, it will). Even hard copies of web application testing reports can create business risks. I see those being tossed around to third parties quite often like it’s no big deal at all.
You can have the best NDA (Non-Disclosure Agreement) in the world but that’s not going to keep this information under wraps. What’s required is all the parties involved taking the proper steps to keep this information in check. Depending on your unique situation, you may have a few other options. You can de-identify the data within the scan files and reports before handing them over. Operating system, database and application privilege levels can also be set to ensure that only those with need to know access can view this sensitive information.
In the end, you’re not going to have complete control of the information resulted from your web application testing. You’ll have to trust people to do the right things. Unfortunately, that’s where businesses often get themselves into trouble. Thus the cycle of information security and managing risks continues.