Chicken or Egg – Selecting Websites for Testing

A question I keep getting hit with (shudder) which applications to start testing?  The context of the discussion is web site security assessment (not unlike penetration testing)- which websites need a security assessment.

I keep hearing the same statement (creepy), “it’s like the chicken or the egg” then there is a subtle surprise statement to the effect of “I want to assess the sites with the most vulnerabilities.”  I am usually left smiling, blinking widely.  I’m not calling any single conversation out- I have literally heard this question a dozen or so times in the last month. (again, some of these calls are kinda like groundhog day)

“I can haz ROI?”

As a consultant, I would want to protect the most meaningful assets, and manage the more tangible threats… but I also have an appreciation for the need to show value, and a quick return on the expenditure for assessment services.  There are a couple very tangible needs that must be identified in this discussion.

Start Testing with sites that have:

  1. Serious, unaddressed website security flaws (ROI demonstration, classic security widget sales technique)
  2. Critical or Regulatory Datasets (PII, PHI, PCI, SoX, GLBA, or any other flavor)
  3. Top Traffic sites (thus attacking either reputation, or the most browsers/systems visiting your sites)
  4. Top Revenue Sites (focusing on threats with maximum demonstrable business justification)

My counsel has historically been driven by the business value of the site, or the value of the data served by the site (regulatory bodies, SLAs, etc).  I state that because I now more clearly see that as an outsider, my focus is in protecting business sites and providing safety- not in political justification inside an organization I work for…

In presenting, I focus on risk management in terms of how ‘bad guys’ monetize attacks.  So maybe this is a fun question of “Budgeting for Web Application Security” vs “Which sites do you spend that money on?”  Are they not the same?

Please take time to comment or respond to the poll here- “When you started testing- how did you choose your intial sites?”


2 Responses to “Chicken or Egg – Selecting Websites for Testing”

  1. Rafal Los Says:

    Follow the money … that’s what gets attention… money is the universal language of business… and if you can equate something you’re doing [or want to do] with a [concrete] loss of revenue you will get your resources.

  2. Gino Lass Says:

    I just now arrived by way of Msn and had to express gratitude after looking at this information. I will make sure to bookmark this site.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: