That’s where Web application penetration testing tools and services come in. Diana Kelley, VP and service director at Burton Group, says these tools and services conduct automated scans of Web applications that are either in production or just prior to going live, applying threat models and misuse cases to unearth common vulnerabilities. Some of the top 10 flaws defined by the Open Web Application Security Project (OWASP), including SQL injection, cross-site scripting and improper error handling, were until quite recently alien concepts to a lot of people, including developers. In some cases, the tools provide suggested parameters for how to fix these types of problems. (For more about web application vulnerability awareness and its effect on security research, see The Chilling Effect.)

Today, Web penetration testing is considered a key component in ensuring application security, which has become an essential part of enterprise risk management, Kelley says. Or as Joseph Fieman, analyst at Gartner, puts it, “It’s coming down to a race between you and the hackers. Either you use [penetration testing] or the hackers will do it for you.”

According to Gartner, enterprises considering these tools and services should expect substantial market and product consolidation. Acquisitions are likely among the major software development lifecycle (SDLC) platform providers and security vendors, Fieman says. Already the quality-assurance divisions of two heavyweights, Hewlett-Packard and IBM, have bought into the market (acquiring SPI Dynamics and Watchfire, respectively).

Here is advice from CISOs and analysts on how to evaluate and use these tools and services.

Read this full article at CSO Online

Only registered users can write comments.
Please login or register.

Powered by AkoComment!