Skip to main content
October 24, 2014

Penetration Testing Doesn't Have to Feel Like Rabbit Farming

Tracking your apps can feel like tracking multiplying rabbits.About half of all business Web apps developed in the last 15 years are Java-based. This makes Java an obvious target for hackers since it contains so many potential targets, and penetration testing is often skipped in favor of patchwork security solutions.

Because much of today's background Java code is derived from crowdsourced code libraries, developers often trust that their code is safe without verifying that its source has done testing or is even as friendly as it claims to be.

The problem? As building apps has gotten easier and programmers have become more prolific, few companies have the resources to track, manage and execute security testing before launching new apps and features. As we've noted, companies employ hundreds or even thousands of custom apps on a daily basis. If even one of those apps is untested, it can provide hackers with access to a company's entire system. As a result, IT managers face the daunting task of testing, tracking and managing every app in their companies.

To do this manually would be like trying to memorize the names and feeding schedules for hundreds of bunnies on a rabbit farm. Not only are they similar and constantly moving, they're multiplying at a mind-boggling rate! (What's more, most business apps aren't as cuddly as bunnies.)

Strength in Numbers?

Manually tracking apps, modifications, updates, penetration testing and mitigation methods is a nearly impossible task — not to mention a waste of valuable IT-department time and resources. Once you recognize the impossibility of remembering which rabbit is which, which likes to eat alfalfa instead of clovers and when your summer intern last tested the security of that calendar plug-in he's been working on, you'll begin to feel overwhelmed.

App systems are like chains — they're only as strong as their weakest links. Not only do you need to ensure that every link is equally strong, but you have to be constantly aware of each new link added. Given the prevalence of Java and its inherent flaws, that's a tall order.

Build It Right the First Time

It's time to quit worrying about how many rabbits you have or how strong your chain is. Rather than constantly running up and down the ever-growing chain checking for weak links, wouldn't it be nice to know that every additional link was as good as, or better than, the one that came before it?

The best defense for Java is, contrary to the sports cliché, a good defense.

When developing apps for your company, it's critical to test them throughout the Software Development Life Cycle (SDLC). To do this manually is cumbersome and requires resources that many companies don't have. Good penetration testing is complex and costly, leading many to depend on post-implementation mitigation methods instead of thorough development. Still, the effects of poorly tested apps can be far more costly than building them well and testing them often. Problems that get buried under further development and missed by cursory penetration testing can easily be unearthed and exploited by hackers.

The LeanStart-up Is Not Always Safe

With the explosion of Agile workflow principles, the diffusion of responsibility in app development is greater than ever. At any given time, several people might be adding and tweaking code, all while assuming that someone else is doing the security testing.

Iterative testing is an integral part of Agile development, and these frequent tests can lead to a false sense of security unless the test procedure is standardized and comprehensive. The best way to prevent diffusion of responsibility or insufficient testing in Agile development is to implement a background security service that constantly and automatically tests applications throughout the SDLC.

To leverage the advantages of Agile development, an automated, iterative security test can save time and lead to a more secure end product. That way, you can audit early and often to prevent problems from sneaking in and causing costly headaches later. Laziness and tight budgets are not good excuses for leaving weak links in your software chain, and good software allows you to spend more time and resources developing new applications without worrying about the old ones.

Because, let's be honest: Don't we all love playing with new baby bunnies more than fretting over old hares?

Photo Source: Flickr

John is a B2B and SaaS expert who likes to explain complex concepts using cute animals and cocktail napkins. He believes that content marketing is the future and sometimes ghost writes, but he can never prove it.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.