SecurityBeat: Software Security Needs Validating
By Donald Borsay, Director of Security Solutions, HCH Enterprises
Software Security: A Critical Concern for Businesses in 2023
In March, HCH strongly recommended that clients prioritize addressing the Top 8 Cybersecurity Challenges of 2023. Among these, Software Security emerged as a critical concern, particularly for businesses undergoing Digital Transformation.
The complexity of Software Security is intensified when dealing with Outdated Security Technologies and inadequate responses to Zero Day Events. A valuable approach to bolster Software Security confidence is through Web Application Penetration Testing (WAPT).
Our trusted partner, Cobalt, a ‘platform-as-a-service’ WAPT provider, has recently unveiled The State of Pentesting 2023. In response, HCH is issuing this advisory to provide actionable insights into Software Security, leveraging the insights from this newly released report.
Resource Allocation is a Key Concern
A significant overarching concern is resource allocation. Clients with established Software Security processes are striving to achieve more with limited resources. This often involves outsourcing, deferring remediation efforts, and compromising validation processes. Conversely, clients without existing Software Security measures face challenges in securing adequate resources for software development, let alone validation.
HCH acknowledges this dilemma and has chosen to collaborate with Cobalt due to their innovative delivery model, which optimizes Return on Investment (ROI) and cost savings for clients.
Instill a Software Security Mindset
Instilling a Software Security mindset within your organization can be transformational. Unlike functional requirements, Security is largely non-functional. While system design, infrastructure configuration, and software coding address functional needs, they might not inherently ensure security. At the very least, development teams should familiarize themselves with the OWASP Top Ten vulnerabilities. Cobalt’s assessments have revealed critical vulnerabilities like SQL Injection, Remote Code Execution, and the use of Default Credentials. To effectively address these threats, HCH suggests implementing a comprehensive checklist within your software release process.
Get the Most Out of Your Penetration Testing
To derive maximum value from your investment in penetration testing, it’s essential to empower your penetration tester. Collaborate with HCH to enhance your preparedness, or alternatively, utilize the Pentest Preparation Checklist outlined in the Cobalt report. Avoid potential hindrances during testing, such as:
- Testers lacking necessary credentials or access prior to the test initiation.
- Misalignment of the testing scope.
- Insufficient ongoing collaboration throughout the testing process.
- Inadequate brief or asset information.
Remediate and Retest Critical Findings
While Cobalt offers free retesting for resolved findings, less than 25% of identified issues undergo retesting. Although this might be reasonable for lower-severity findings, it’s concerning that 61% of critical vulnerabilities remain untested again, likely due to unresolved issues or a decision to forgo validating crucial fixes. HCH firmly advocates for the remediation and retesting of critical findings. Moderate findings should not be accepted without formal documentation of compensatory controls.
Conclusion
Trust in your Software Security demands verification. Make security a cornerstone of your software release strategy. Prioritize thorough testing of your software application and adequately prepare for the testing process to maximize its value. Lastly, prioritize the rectification and retesting of significant findings. HCH is dedicated to assisting you throughout this journey. Contact HCH Sales to access our support and expertise.