Thursday, June 16, 2011

The Value of Pen Testing

Recent attacks on Citibank and the IMF have attracted a good deal of attention, both by the press and by security experts. Quite different views of those attacks are emerging.

In the press, the attacks are often characterized as advanced and sophisticated. They are said to be difficult to protect against - hazards of the modern age of web based cloud computing.

On the other hand, some experts see the attacks as just more of the same old, in this case exploiting a very common vulnerability known as insecure direct object references. These are situations where system objects such as URLs or database references are inadvertently left exposed within system code. Hackers can modify them and thereby gain access to otherwise secure resources. See, for example, this article.

The best way to achieve some protection for insecure direct object references is by using penetration testing. This involves employing professional hackers to try to hack into a system thereby identifying such points of vulnerability.

Once again, the risk of so-called sophisticated attacks can be mitigated by using well established and time-tested techniques such as pen-testing.

No comments: