Finding Web Flaws is not just Point and ClickSuccessful web security testing is not as simple as point and click. Unfortunately, many people treat it as such. The thought process goes something like this:

1.    Load web vulnerability scanner.
2.    Enter URL to scan.
3.    Click Go.
4.    Generate report for the auditors.
5.    Be done with it until next month.

Don’t get me wrong. I’m not saying you shouldn’t be without good tools. No security professional in a reasonable state of mind would commit to finding flaws in a web system without the help of a web vulnerability scanner. I know I’m not that good. I’m not sure anyone is. Even if they were, who has the time?

The problem is that the path of least resistance is often taken in web security testing. It’s not good for business, especially if your goal is to minimize your web-related risks. Even when it comes to the web vulnerability scanner itself – many assume that “free” is good enough. Simply download the latest open source tool, run it without any knowledge of the tool, and that’ll suffice.

Such an approach is usually in the name of PCI DSS or similar compliance regulation. And sadly it works. The majority of the time, a check box will be checked, auditors will be satisfied, and management continues to assume that all is well in IT.

There are several factors at play here that we must balance on an ongoing basis including budget, time, staff skill levels, and management support. These are all understandable elements that everyone must deal with. Regardless of the circumstances, there’s no reason that simple point-and-click scans should be the extent of your web security testing.

That said, I can follow the logic a bit. I’ve run plenty of web scans that turn up the same results over and over and over again. For old systems that aren’t being updated and are considered lower risk, what’s the incentive to do more and more security testing when the pay-off is less and less? The inclination is to stop throwing resources at a problem that doesn’t really appear to be a problem. At least that’s often how management sees it.

The business bottom line is what counts. I certainly can’t argue with that but it sure does create a lot of complexity. It’s such a fine line between doing what’s right and doing what’ll help you get by. Expediency fuels business. But don’t blame the business for that. Immediate gratification is a core human desire. We must balance with reason and logic if we don’t want it to get out of hand.

So where do you draw the line? What’s “good enough” web security for your business? I’m here to tell you that simple point-and-click scans with no tweaking of the scanner, no contextual insight of the web systems you’re testing, and no real common sense is a recipe for mediocrity. And mediocrity will be exposed – and exploited – eventually.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.