Applications are perhaps the most vulnerable area for which companies must take responsibility. So, ensuring that applications are secure and don’t contain exploitable mistakes is a crucial task – and it’s one that never ends.

 I recently spoke with Justin Calmus, VP of Hacker Success at HackerOne, about how the role of penetration testing is changing. This testing is becoming less about simply finding problems, and more about a process of continuous improvement. HackerOne is a crowdsourced penetration testing service. Companies come to HackerOne and ask for help. HackerOne organizes challenges where teams of experts hammer away at applications and attempt to find problems for a bounty. The more problems found, the more the company pays.

But then what? Calmus and his team have realized that the best way to interact with clients is not just to find vulnerabilities but to work with them to make sure that the vulnerabilities are not introduced in the first place. In other words, the higher level of protection is for HackerOne to be an early warning system and to advise companies how to change their development practices to avoid introducing problems from the get-go.

Calmus pointed out that enterprise security teams are now emerging at companies. These teams are tackling new vulnerabilities that aren’t traditionally code-based. Many companies have application security teams that are focused on fixing software engineering vulnerabilities, but enterprise security teams need to be able to handle a wider range of issues.

Calmus provided me with the following list of problems, both old and new, that frequently show up in applications. If you are creating software that runs on the Internet, your goal should be to stop these problems at the source.


Resource