In the modern world of security and Apps security , there is stuff you worry about and stuff you don’t. Most companies have SaaS and third-party applications, cloud infrastructure, and other systems. For much of this footprint, there is only a limited amount you can do to ensure protection. The fundamental security of the systems is the responsibility of the provider.
But when your infrastructure reaches a certain size, when you are running your own applications, and have fleets of laptops, phones, networks, and your own data center, securing all these assets does become your problem.
Applications are perhaps the most vulnerable area for which companies must take responsibility. So, ensuring that applications are secure and don’t contain exploitable mistakes is a crucial task – and it’s one that never ends.
I recently spoke with Justin Calmus, VP of Hacker Success at HackerOne, about how the role of penetration testing is changing. This testing is becoming less about simply finding problems, and more about a process of continuous improvement. HackerOne is a crowdsourced penetration testing service. Companies come to HackerOne and ask for help. HackerOne organizes challenges where teams of experts hammer away at applications and attempt to find problems for a bounty. The more problems found, the more the company pays.
But then what? Calmus and his team have realized that the best way to interact with clients is not just to find vulnerabilities but to work with them to make sure that the vulnerabilities are not introduced in the first place. In other words, the higher level of protection is for HackerOne to be an early warning system and to advise companies how to change their development practices to avoid introducing problems from the get-go.
Calmus pointed out that enterprise security teams are now emerging at companies. These teams are tackling new vulnerabilities that aren’t traditionally code-based. Many companies have application security teams that are focused on fixing software engineering vulnerabilities, but enterprise security teams need to be able to handle a wider range of issues.
Calmus provided me with the following list of problems, both old and new, that frequently show up in applications. If you are creating software that runs on the Internet, your goal should be to stop these problems at the source.