As I’ve written about scoping your Web security tests in the past, it’s not something to be taken lightly. Interestingly, there’s one aspect of Web security testing where I’m still seeing a big disconnect. The issue is how many critical Web systems are being dismissed (“That one’s going away soon.” and overlooked (“Oh, yeah, I forgot about that one!”) and aren’t being tested.

Whether you’re scoping Web security assessment for your own business or for your external clients, you’ve got to make sure that everything of significance is included in your projects. Even if you’re in charge of everything at a small shop, it’s easy for a system here or there to fly under the radar.

Some Web systems you can’t afford to not test include:

  • Staging and development systems that are slightly-outdated mirrors of production (and often process  actual production data)
  • Extranet/B2B systems
  • Customer service sites
  • Support portals
  • Content management systems
  • Websites and applications running on separate, non-standard domains
  • Websites and applications hosted by third-parties that you’re still in charge of

Just when you think you’re looking at all the right systems in all the right places, you’ll no doubt come across one or more that you either weren’t told about or have forgotten about.

Ensuring you’re including everything in your Web security testing projects is like ensuring you’ve included every possible tax deduction at tax time. In so many situations we’re leaving money on the table and someone else gets to take advantage of it. This goes back to having good documentation. I know it sounds trite but having current network diagrams, host and application inventory spreadsheets, information flow diagrams and the like is absolutely critical for ensuring you’re not overlooking anything.

Work with your network infrastructure staff. Get on board with your software development and QA teams. Double-check with your clients to make sure you’ve got a comprehensive list of every system that needs to be tested. It’s as simple as that, but unfortunately, it’s something that’s taken for granted all too much.

Web security testing is difficult enough as it is. The last thing you need to do is overlook a critical system that’s gone untested for an untold amount of time. You’ll no doubt have systems with differing priorities. Just make sure you’re the one in control and making those decisions rather than some criminal hacker with nothing better to do. Focus on your most important systems first but every system (especially those that are publicly-accessible) needs to be looked at eventually. All it takes is one seemingly benign, untested and vulnerable website or application to get your business into a bind.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.