Slashdot Mirror

← Back to Stories (view on slashdot.org)

Creating a Security Test Environment?

Posted by kdawson on from the as-sure-as-possible dept.

Enderandrew writes "Our IT department has been tasked with creating a list of authorized software, and only allowing software to be added to such a list after it has been thoroughly tested. In theory that sounds like a great idea — but how should we test apps to make sure they are secure? We have tools to scan internal websites, and we use MBSA for our Windows servers. However, I'm turning to Slashdot to ask what are the best methods for creating a test environment where I can analyze apps for security vulnerabilities. We're a multi-platform shop, but my main concern is with Windows apps."

8 of 167 comments (clear)

  1. The only way to be sure... by seanonymous · · Score: 4, Insightful

    You can't be certain unless you have the source code, so tell the folks who are requiring this list to be created that they can say goodbye to Word and Excel.

    1. Re:The only way to be sure... by zappepcs · · Score: 4, Insightful

      That is the problem right there: "a lot of free time" is not what most people have. Scanning the intarwebtubes for reports of vulnerabilities for various applications running on specific OS platforms may bring some results, but to my knowledge there is no unified security test suite benchmark. No matter what you choose, you *WILL* have vulnerabilities. The best you can do is limit those to vulnerabilities you can live with or do not yet know about.

      Better yet is providing a SOP for implementing change/updates to all the 'verified' applications for zero-day exploit patches.

      IBM does some extensive style work on vulnerability as do several others. I think I'd spend my time working on how to patch/update every 'in house certified' application rather than trying to ensure they have no vulnerabilities. The former keeps things good going forward, the latter only ensures past sins are fixed.

      Spend your time where you will, but makes no sense to do extensive in-house testing unless you are writing your own in-house software. Rely on outside testing groups, work with them even. http://www.google.com/search?hl=en&output=googleabout&btnG=Search+our+site&q=software%20vulnerability%20testing%20results results in about 242k hits and 142k for the same with +ibm added http://www.google.com/search?hl=en&q=software+vulnerability+testing+results+%2Bibm&btnG=Search

      --
      Support NYCountryLawyer RIAA vs People
  2. Thoroughly tested by Ngarrang · · Score: 4, Insightful

    Just how thorough of testing is being asked? Some security flaws escape eyes for years (see DNS flaw). Some flaws are obvious. But, in general, you can never be 100% certain of a program be 'secure' unless you know its has passed some milspec cert.

    While optimistic, I think the new policy is a bit misguided in its wording.

    --
    Bearded Dragon
  3. security test environment .. by rs232 · · Score: 4, Insightful

    'what are the best methods for creating a test environment where I can analyze apps for security vulnerabilities. We're a multi-platform shop, but my main concern is with Windows apps..'

    You can't test for security vulns, especially in a Windows environment, as there is so many interlocking components that behave differently depending on the configuration. Introducing a service pack into a previously 'secure' environment and all bets are off. All you can do is patch, patch patch ...

    You could also intalss a second intrusion detection system that monitors the first for unauthorized access and keeps a full audit of access alterations etc. You could also compartmentalize your system so as a breech in a web service doesn't automatically lead to a total system compromise.

    --
    davecb5620@gmail.com
  4. Penetration testing, for starters by cjonslashdot · · Score: 4, Insightful

    You are apparently talking about black-box testing. For starters, you need a security team to perform penetration testing on the apps in a production-like environment. But if you have home-grown software, you need to address the problem of insecure systems being built by your programmers. The programmers need to understand application security. For a somewhat theoretical but still practical treatment, I recommend my own book, High-Assurance Design (Addison-Wesley, 2005). You should also check out Michael Howard's book and his blog. And then there are Gary McGraw's books which address process. - Cliff

  5. An Accountability Sh!tstorm by mpapet · · Score: 5, Insightful

    This is a no-win situation for the persons assigned to certifying an application. I personally have a very hard time communicating with managers who believe, with an unshakable faith, this is a reasonable solution to a perceived problem. When it blows up, MY head rolls, not theirs. The ages-old "Get IT in my office *now*" blame-shifting game.

    The right way to handle this would be to push back hard and explain why this is an epic failure in the making and resources quagmire. That isn't typically a good political solution though.

    I would love some advice as to how to change such foolish thinking.

    Maybe you've got a good thing going there, but if there have been IT organizational changes recently, this may be a harbinger of things to come.

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
  6. Fools Errand. by Anonymous Coward · · Score: 5, Insightful

    1) There is no secure software. Just software that doesn't have any known vulnerabilities.
    2) Define 'thoroughly tested'.
    3) White-listing applications is going to cause your company pain as people wait for required tools to become available.
    4) You can't afford to do this yourself.

    Look at it this way. When PHB is shouting for his new shiny piece of software to work, you can bet that 'thoroughly tested' gets severely watered down. You'll be left with some software on the list that has vulnerabilities whilst other people can't get their jobs done because the software hasn't been listed yet. Even if you avoid those pitfalls and manage to 'thoroughly test' each application, how many applications does your company use? Say you can test an application in 2 weeks - For one fulltime employee you'll white-list 24 applications in a year. The fact that you are asking /. for help suggests that you don't have much knowledge or experience in this field, so you're going to have to pay for training or for an employee with that training.

    This model is doomed to failure, and whoever suggested it should be shown the door and replaced with a CISSP qualified guy (or gal). Security is a process, and what you need are tools to help carry out that process. Someone with a CISSP qualification will know where to find those tools.

    Some of those tools might include auditing (to find what applications are in use), firewalls, IDS systems (to detect suspicious traffic), patch management (to mitigate vulnerable software), an intelligence provider (to tell you about new vulnerabilities and patches in a timely manner), a Security Event Management system (to manage security data and drive processes) etc...

    For the record, I am a QA lead engineer with experience in enterprise and industrial security. I do this kind of stuff for a (good) living.

  7. More about knowledge of infrastructure... by maestro371 · · Score: 4, Insightful

    The likely goal (from a management perspective) is to establish an authoritative list to allow for efficient management of vulnerabilities. If you know what's out there and "authorized" you can respond to threats far more quickly than otherwise.

    Your management would be silly to expect you (unless you are an application analysis company) to thoroughly vet every application that comes through the door. It would be a terrible waste of time.

    Do some basic analysis (what ports does it open, does it connect out to other systems, that sort of thing). Beyond that, I believe the value is simply in knowing about the application and being able to track any potential issues.