Software Testing Social Network

In this article on application security testing, we will be looking at vulnerabilty analysis,vulnerability scanner, vulnerability disclosure and ethical scanning.

Vulnerability analysis, also known as vulnerability assessment, is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure. In addition, vulnerability analysis can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use.

Vulnerability analysis consists of several steps:

* Defining and classifying network or system resources

* Assigning relative levels of importance to the resources

* Identifying potential threats to each resource

* Developing a strategy to deal with the most serious potential problems first

* Defining and implementing ways to minimize the consequences if an attack occurs.

If security holes are found as a result of vulnerability analysis, a vulnerability disclosure may be required. The person or organization that discovers the vulnerability, or a responsible industry body such as the Computer Emergency Readiness Team (CERT), may make the disclosure. If the vulnerability is not classified as a high level threat, the vendor may be given a certain amount of time to fix the problem before the vulnerability is disclosed publicly.

The third stage of vulnerability analysis (identifying potential threats) is sometimes performed by a white hat using ethical hacking techniques. Using this method to assess vulnerabilities, security experts deliberately probe a network or system to discover its weaknesses. This process provides guidelines for the development of countermeasures to prevent a genuine attack.

A vulnerability scanner is a program that performs the diagnostic phase of a vulnerability analysis,also known as vulnerability assessment. Vulnerability analysis defines,identifies, and classifies the security holes (vulnerabilities) in acomputer, server, network, or communications infrastructure. Inaddition, vulnerability analysis can forecast the effectiveness ofproposed countermeasures, and evaluate how well they work after theyare put into use.

A vulnerability scanner relies on a database that contains allthe information required to check a system for security holes inservices and ports, anomalies in packet construction, and potentialpaths to exploitable programs or scripts. Then the scanner tries toexploit each vulnerability that is discovered. This process issometimes called ethical hacking.

An ideal vulnerability scanner has capabilities such as the following:

* Maintenance of an up-to-date database of vulnerabilities.

* Detection of genuine vulnerabilities without an excessive number of false positives.

* Ability to conduct multiple scans simultaneously.

* Ability to perform trend analyses and provide clear reports of the results.

* Recommendations for countermeasures to eliminate discovered vulnerabilities.

If security holes are detected by a vulnerability scanner, a vulnerability disclosuremay be required. The person or organization that discovers thevulnerability, or a responsible industry body such as the ComputerEmergency Readiness Team (CERT), may make the disclosure, sometimesafter alerting the vendor and allowing them a certain amount of time toremedy or mitigate the problem.

Vulnerability disclosure is the practice of publishing information about a computer security problem, and a type of policy that stipulates guidelines for doing so. Either the person or organization that discovers the vulnerability or a responsible industry body such as the Computer Emergency Readiness Team (CERT) may make the disclosure, sometimes after alerting the vendor and allowing them a certain amount of time to fix the problem before publishing the information.

The question of how much information to provide and when to make it public is a contentious issue. Some people argue for full and immediate disclosure, including the specific information that could be used in an exploit taking advantage of the vulnerability; others believe that limited information should be made available to a selected group after some specified amount of time has elapsed since the vulnerability was found; and still others believe that no vulnerability information should be published at all.

A number of organizations are establishing vulnerability disclosure policies. According to CERT's policy, for example, they will: inform the vendor about a vulnerability as soon as practically possible after they receive a report; advise the reporter of changes in the status of the vulnerability; and, under most circumstances, disclose the information to the public 45 days after the problem is reported, whether the vendor has dealt with the issue or not.

An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. To test a security system, ethical hackers use the same methods as their less principled counterparts, but report problems instead of taking advantage of them. Ethical hacking is also known as penetration testing, intrusion testing, and red teaming. An ethical hacker is sometimes called a white hat, a term that comes from old Western movies, where the "good guy" wore a white hat and the "bad guy" wore a black hat.

One of the first examples of ethical hackers at work was in the 1970s, when the United States government used groups of experts called red teams to hack its own computer systems. According to Ed Skoudis, Vice President of Security Strategy for Predictive Systems' Global Integrity consulting practice, ethical hacking has continued to grow in an otherwise lackluster IT industry, and is becoming increasingly common outside the government and technology sectors where it began. Many large companies, such as IBM, maintain employee teams of ethical hackers.

Comments (0)

Subscribe to this comment's feed