Periodic and consistent security checks – that’s the recipe for effective Web security, right? We hear this “best practice” recommendation all the time. It’s true but what exactly does it mean? How often do you really need to test your websites and web applications? Do you go by what the PCI Security Standards Council recommends? Probably not. Perhaps your internal auditor or compliance manager knows best? Possibly. Maybe you should buy into the sky-is-falling scare tactics that some people in our field like to spread around and do nothing but Web security testing 24/7. Not a chance.
The reality is every environment is different and every business has a unique set of needs. No one knows what these things are better than you. You presumably know the level of risk your business is willing to tolerate. You know what management is expecting (or at least should be expecting). You understand the complexity of your environment. You understand which systems are critical and which ones may not matter quite as much. You’re familiar where PII is located. You know exactly what’s accessible from the LAN and the Internet. You understand what level of resources you have at your disposal and, therefore, how much time and focus you can give to Web security testing.
Taking all of this into consideration, only you know what you’re up against and what testing schedule is going to work best in your environment. You may need to test your web applications monthly. You may find that running monthly security scans combined quarterly manual analysis is a good fit. Or perhaps doing everything quarterly or bi-annually works best. The important thing is to come up with a schedule and stick with it while, at the same time, being flexible enough to run ad-hoc tests when they’re needed. That’ll at least put you ahead of the large percentage of businesses that ignore the security of their Web environments altogether.
As you’re planning out your strategy, keep in mind the following recipe that’s required for reasonable long-term Web security:
1. Know what you’ve got
2. Understand how it’s at risk
3. Do something about it
This means you need to make sure you’re looking at all the right systems in all the right ways and taking the appropriate actions to fix the problems you uncover. You don’t have to drain the ocean all at once by testing every single site and app. Simply getting started on the urgent and important systems to begin with and then building out your security testing program to eventually reach into every nook and cranny that matters is a good approach.
Your security testing schedule – the mere quantity of tests you perform – is not as important as the quality of the tests. Experience can be bad or good. Like golf, you can have years and years of playing experience but that doesn’t mean your game is worth a hill of beans. The important thing is to step back and look at the big picture. Get the right people involved in the business and determine what’s best for your specific needs. You’ll likely see that they don’t fit into everyone’s ideal mold.