| Article Index |
|---|
| Application Security Testing Techniques: Vulnerability Assessment |
| Page 2 |
| All Pages |
A vulnerability scanner relies on a database that contains allthe information required to check a system for security holes inservices and ports, anomalies in packet construction, and potentialpaths to exploitable programs or scripts. Then the scanner tries toexploit each vulnerability that is discovered. This process issometimes called ethical hacking.
An ideal vulnerability scanner has capabilities such as the following:
* Maintenance of an up-to-date database of vulnerabilities.
* Detection of genuine vulnerabilities without an excessive number of false positives.
* Ability to conduct multiple scans simultaneously.
* Ability to perform trend analyses and provide clear reports of the results.
* Recommendations for countermeasures to eliminate discovered vulnerabilities.
If security holes are detected by a vulnerability scanner, a vulnerability disclosuremay be required. The person or organization that discovers thevulnerability, or a responsible industry body such as the ComputerEmergency Readiness Team (CERT), may make the disclosure, sometimesafter alerting the vendor and allowing them a certain amount of time toremedy or mitigate the problem.
Vulnerability disclosure is the practice of publishing information about a computer security problem, and a type of policy that stipulates guidelines for doing so. Either the person or organization that discovers the vulnerability or a responsible industry body such as the Computer Emergency Readiness Team (CERT) may make the disclosure, sometimes after alerting the vendor and allowing them a certain amount of time to fix the problem before publishing the information.
The question of how much information to provide and when to make it public is a contentious issue. Some people argue for full and immediate disclosure, including the specific information that could be used in an exploit taking advantage of the vulnerability; others believe that limited information should be made available to a selected group after some specified amount of time has elapsed since the vulnerability was found; and still others believe that no vulnerability information should be published at all.
A number of organizations are establishing vulnerability disclosure policies. According to CERT's policy, for example, they will: inform the vendor about a vulnerability as soon as practically possible after they receive a report; advise the reporter of changes in the status of the vulnerability; and, under most circumstances, disclose the information to the public 45 days after the problem is reported, whether the vendor has dealt with the issue or not.
An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. To test a security system, ethical hackers use the same methods as their less principled counterparts, but report problems instead of taking advantage of them. Ethical hacking is also known as penetration testing, intrusion testing, and red teaming. An ethical hacker is sometimes called a white hat, a term that comes from old Western movies, where the "good guy" wore a white hat and the "bad guy" wore a black hat.
One of the first examples of ethical hackers at work was in the 1970s, when the United States government used groups of experts called red teams to hack its own computer systems. According to Ed Skoudis, Vice President of Security Strategy for Predictive Systems' Global Integrity consulting practice, ethical hacking has continued to grow in an otherwise lackluster IT industry, and is becoming increasingly common outside the government and technology sectors where it began. Many large companies, such as IBM, maintain employee teams of ethical hackers.
Subscribe to this comment's feed
| < Prev | Next > |
|---|
