Already this year the Identity Theft Resource Centre has reported 101 data breaches with over 80M records stolen. The US military Twitter account was recently hacked by terrorists. The Sony data breach is still fresh in our minds. And now millions of WordPress users who have downloaded the WP-Slimstat plug-in have been asked to upgrade to the next version due to a critical flaw that makes sites vulnerable to SQL injection attacks.
What this teaches us is even the best of us are not safe from malicious attacks. And the only way for us is to test the security of our sites as early and as often as possible.
Why are our websites vulnerable?
As hackers find new ways to gain access to our websites, a firewall based solution is simply not enough. Access Controls, Cryptography, IPS, IDS etc. are useful only until hackers find a way to get past them.
Each day reveals new vulnerabilities with attackers finding sophisticated ways to breach a website. An average website is attacked 2 to 200 times a day by worms and crawlers that take advantage of any weakness in the site. Compromised websites can be infected with malware which then infects visitors to the site.
Sensitive data like Personally Identifiable Data (PII), Social Security Numbers, Bank account numbers, Credit card data etc. can fall into the wrong hands. It can take an average of 7-10 days and an average cost of $3.5M to recover from an attack.
What happens when security is compromised?
- Loss of sensitive data like PII, PHI, account and card information
- Loss of reputation
- loss of customer trust
- Legal consequences inviting penalty of millions of dollars
How can security testing help?
A continuous cycle of security testing can help identify a range of weaknesses in your websites. There are several open source and proprietary tools available in the market today that enable security testing.
Periodic security testing can bring following advantages:
- Simulate attacks from outside to pro-actively detect and fix vulnerabilities
- Fortify yourself against potential attacks
- Keep business and customer data safe
- Detect common flaws like XSS, CSRF, SQL injections, remote code executions etc.
- Prevent vulnerabilities arising from information leakage, session management and authentication/authorization due to inadequate or weak encryption
- Identify vulnerabilities as the code is being developed through Static Application Security testing (SAST)
- Reveal vulnerabilities in actual run-time environment through Dynamic Application Security testing
- Ensure compliance to standards like PCI DSS, ISO and HIPAA
- Ensure business continuity
- Build an effective risk management strategy
About Author:
Sharada works for Cigniti Technologies Limited . It is the world’s third largest Independent Software Testing Services Company. Cigniti has helped Enterprises and ISVs across verticals build quality software while improving time to market and reducing cost of quality. Cigniti’s test offerings include Agile & DevOps Testing, Digital Testing, Mobile Testing, Service Virtualization, Test Data Management, Security Testing, Performance Testing, Functional testing, Test Automation, eCommerce Testing, ERP testing, Test Advisory Services, Medical device testing, and Big Data Testing.
