Take Care in Handling the Results of your Web Application TestingHow do you handle your web application testing, vulnerability scans, test data and related security assessment reports? I’ve found that this is something that doesn’t get a lot of attention in web application security circles but is still impactful to the business. It’s actually kind of ironic that those of us working in IT and security often forget about what’s at stake if web vulnerability information were to fall into the wrong hands. I should know – I used to take it too lightly and many others still do.

The thing is, everything from passwords to SQL injection requests to hard-coded encryption keys – practically anything imaginable related to web security flaws – is contained in the following files, screenshots and reports:

  • Web vulnerability scan files (the raw data such as .wvs files in Acunetix Web Vulnerability Scanner)
  • Web vulnerability scanner reports (i.e. PDF and HTML files)
  • Screenshots of exploits
  • Proxy log files
  • Username and password dictionaries
  • Final web application testing reports containing specific findings and methods of exploitation

The risk is increased when all of this information is scattered about on multiple systems – especially once it makes its way to unencrypted laptops and data backups, third-party email systems and under-protected mobile devices (and trust me, it will). Even hard copies of web application testing reports can create business risks. I see those being tossed around to third parties quite often like it’s no big deal at all.

You can have the best NDA (Non-Disclosure Agreement) in the world but that’s not going to keep this information under wraps. What’s required is all the parties involved taking the proper steps to keep this information in check. Depending on your unique situation, you may have a few other options. You can de-identify the data within the scan files and reports before handing them over. Operating system, database and application privilege levels can also be set to ensure that only those with need to know access can view this sensitive information.

In the end, you’re not going to have complete control of the information resulted from your web application testing. You’ll have to trust people to do the right things. Unfortunately, that’s where businesses often get themselves into trouble. Thus the cycle of information security and managing risks continues.

To receive the latest updates relating to the website security industry, ”Like” the Acunetix Facebook Page, follow us on Twitter, and read the Acunetix Blog.

SHARE THIS POST
THE AUTHOR
Kevin Beaver

Kevin is an information security consultant with 30 years experience, providing independent security assessments and penetration tests, security consulting and virtual CISO services, writing and security content development, and speaking engagements keynotes, panel discussions, and webinars.