Hit and run pentesters — the cycle repeats
I just read an excellent post by Mark Curphey on “The types of testing,” part 2 in his 5 part series on “The Art of Scoping Application Security Reviews.” Dre responded with some good commentary almost as long as the original post. One quote towards the end got to me:
It ceases to amaze me that people want to do review after review, quarter after quarter, year over year - for the same clients. Why allow these [helpless?] organizations to continue to make the same mistakes? In your first part of this series, you mentioned the business aspect about submitting defects into an issue tracking system instead of providing a report that is likely to sit on a desk and collect dust. I say go even further!
If your company contracts out, over and over again to the same vendor for security reviews, and each report comes back looking almost exactly the same with a different date or site, you need help! Have a couple lead developers and security guys sit down with the testing team and go over some methodologies and standards for reducing those flaws. If a vendor is really worth their salt, they will want to help you. This is a win-win situation, because your developers won’t put out so many of the same flaws, and two, the vendor will be able to concentrate more on less common/perhaps more critical vulnerabilities.
Sometimes companies only pay for the report, but don’t want to go further. Some reviewers don’t feel comfortable saying, “Ok, we found all this wrong, now hire us to fix it,” without sounding a little fishy or self-serving. Keep going down that road, and we’re looking at outsourcing security/IT operations to dedicated shops. (Not a bad idea, imo.)
I’ve not read the original post, but I can totally understand why some reports rehash the same old stuff. Until these come in, developers and admins aren’t sitting around bored, and changes sometimes mean some money spent or significant time that needs to be written off somewhere and at sometime.
Likewise, developers worth their pay will be willing to learn more and improve their code (unless they work in extremely oppressive shops, which happens a LOT), but sometimes that sort of training can’t get properly done without some facetime with trainers or testers.
Yes, I’m playing a bit of devil’s advocate. :)
BTW, on IE6 this comment box is way below the right menu list.
There is no reason that an IT/Operations team can’t boot the SOX CD from the Syngress book on Sarbanes-Oxley and be up and running with change control for issues that come out of system/network pen-tests within 30 days, including full patch and vulnerability management. If you can’t - you need to hire somebody to do this, especially if SAS70 or SOX are on the radar. Even if they are off the radar, do yourself a favor and just do it.
Additionally, there is no reason that a development team can’t boot the Buildix CD from ThoughtWorks and get running with issue/defect tracking within 30 days, including continuous integration and continuous-prevention development. And to the same effects as network/system security, if not more.
As a code reviewer or pen-tester, I wouldn’t leave an engagement without these basics covered. In fact, it’s difficult to start one without. I would rather walk into an environment and perform a solo, one-day strategy consulting engagement than to start a 2-week, 2-person assessment and run into several barriers (and at over 7.5 times the cost).