APPLIED SECURITY RESEARCH, AND WHY WE SHOULD DO IT IN A MODERN MALWARE WORLD

Let me first of all start off by confirming that we are all under attack – Even if you do not think that is the case, or you may not catch attacks in your security infrastructure the attacks are still ongoing.
Even a company like help AG are under attack, which I discovered last week where I tested some new security equipment in  front of the web-interface of our support systems.
After deploying the technology I very quickly started seeing attack activities on our website, very impressive as the website are only published to a number of customers and should have no real interest for any one out there – Hey, the information in the system may not even be that interesting for the average attacker.
I was less worried though, and one of the reasons is that we have performed a number of vulnerability assessments on our infrastructure, and I know that I have covered off the basics on the system in question. The vulnerabilities we did find were addressed and the ones we were not able to easily address by for instance running a software update we investigated and understood the security impacts and risks associated with the platform.
Do we have vulnerabilities? Yes, but we understand the impact of them and have decided we can accept the risks.
Exactly the last statement is very important, and an area many customers are having difficulties – Even if they spend a lot of money on penetration tests and vulnerability assessments, they may still not know exactly how vulnerable or how serious a vulnerability is.
Which brings me to the next topic: Understanding your vulnerabilities and understanding how they impact your security posture.
In a perfect world we would all like to be 100% risk-free and without any vulnerabilities, however it is expensive, time consuming and very difficult – if not impossible – to achieve.
For the same reason the economics on achieving security is focused around prioritizing and  covering your bases, spending money, time and effort on what is important and accept the risk of what is left over.
Many Vulnerability assessment companies focus their assessments around blindly trusting output of tools to create a risk picture – And yes, it is a compelling though to just be able to click start and then end up with a full report, but these kind of reports generally fail to deliver value in the sense that they are unable to expose the real threat and impact of a security flaw to the organization.
When we work on VA’s and Pentest we use tools – Absolutely – But what is different is that once the tool has given it’s output we dig deeper, understand the reported vulnerabilities, verify exploits and lookout for unknown issues in the applications by understanding the application flow, the methods used by developers and discovering the programmatic shortcuts that was decided to take by the developer.
At the end we deliver a report with a clearly prioritized list of issues, and allow the customer to act according to the real risk picture.
Does this make sense and do we find something? Absolutely…we stumble over issues constantly even in big and well reputed business applications – Sometimes the flaws even amaze us, especially as they have often been unpatched and untouched by the vendors for years.
When we discover a flaw we of course report them via official channels to vendors, CERT and other organizations, sometimes getting credit for the finding but most often our work is let down as many vendors choose to ignore our findings. When this is the case we end up sitting on a little treasure-box of zero-day attacks – Luckily we are not bad people and will never use them, but honestly the technical information we have are no different to what a hacker would need to attack a site – quite scary that vendors are not getting stuff patched quickly to close the gap…Anyway, I reckon it is the economics of software development that speaks here.
We all have a responsibility to understand our risks, act accordingly and be honest when we find issues so that we can learn and fix the issues.
At the end security is a process – Technology is a part of the journey to become more secure, but at the end it all starts by admitting you are in-secure…