I’ve heard experts in time management say that one minute of planning can save you five minutes in execution. This applies to so many things we do in IT and information security but I can’t think of anything more important than security testing. Applying the 80/20 rule to this scenario, the first 20 percent of the time you spend planning your security testing will be worth 80 percent of the value of the project. Even if this is only partially true, we'd be crazy to not take some time up front to properly plan out our testing projects.
Planning out your Web testing starts with your initial scope. You have to ask yourself – and ideally other key people in the business that have a stake in this – what exactly needs to be tested? Specific questions you’ll want to answer include:
- What are we trying to do? What’s our ultimate goal with this testing?
- How many unique intranet and Internet-based Web sites/applications need to be tested?
- What platform(s) are these sites/applications based on?
- What client-side technologies are being used?
- Do we need to look at the systems from the perspective of an untrusted outsider only or should we also look at things from the perspective of a trusted user or users?
- Approximately how many pages does each system have including both static and dynamically generated pages?
- How many Web services exist that need to be tested? Hint: you need to test all of them.
- Are we just going to run scans (unauthenticated and/or authenticated) or are we going to dig in further with manual analysis? What tools will be needed?
- How much time is everything going to take? Hint: Add 25% to your estimate and you should be on target.
Answering these general questions in advance will put you on the right track for ensuring you get the most out of your Web security testing.
Arguably the most important thing to keep in mind is that, in the real world, anything goes. I strongly believe that you need to focus your Web security testing efforts where the money is first. But, ultimately, you need to branch out and look at everything…from every perspective. Long term, you’ll want to look at all of your Web-based systems – especially those that are facing the outside world. This includes Web servers/interfaces on routers, firewalls, wireless access points, Outlook Web Access and so on.
Don’t underestimate the value and impact that internal Web sites and applications have on your business either. Just because a system is on the inside doesn't mean it's not going to be exploited by a trusted employee or an outsider with ill-intent and the means to access it. Ditto with Web servers/interfaces/applications on the LAN such as CCTV surveillance systems, storage management interfaces, copiers, printers and the like.
You have to be smart about scoping your Web security tests. Never forget that the bad guys know no limits when they’re trying to manipulate and exploit your Web-based systems. Why should you? The general rule of thumb is if it has a URL then it’s fair game.