In November 2013 I have published an article in the CSO Journal titled “The quest for weak links in information security”. Inspired by security breach of Financial Times in May of 2013 when one of its many blog platforms was compromised to give attackers access to other internal systems of the media company I wanted to share my views on what could be done to effectively mitigate risks from external intrusions through Web applications.
Particular attention was given to hybrid Web application security assessment solutions that combine automated vulnerability scanners with manual ethical hacking. The advantage of hybrid vulnerability scanners over traditional automated scanners is in human skills to adapt attack strategies and related tools to particular components of a target. The concept mimics the approach of attackers. Human security auditors are more accurate than machine learning based fully automated systems in contextualizing risk factors within boundaries of a specific targeted organization. Symbiosis of automation with human intelligence increases effectiveness and efficiency reducing the cost of assessments compared to fully manual pentests while at the same time increasing accuracy over fully automated systems. These solutions are ideal for organizations with large Web applications risk posture like online media.
During 2014 CISO Summit Middle East I have talked about findings published in the above article and also have covered more extensively how CISOs could integrate these hybrid vulnerability assessment solutions into their Information Security Management System (ISMS). In a risk based information security management approach a tendency is to mitigate the low-likelihood and low-impact risks with low-cost controls such as automated vulnerability scanners. But, can we find the hole in a flat tire automatically? We can measure drop in air-pressure but the hole has to be found manually. Similarly hybrid security assessment systems could more effectively identify vulnerabilities in low-risk systems while keeping operational costs at optimum levels.
My presentation slides could be accessed here: CISO summit Dubai 2014 online
For 2018 update I may add that hybrid vulnerability scanners are now offered as Security-as-a-Service solutions. Automated components are more advanced with machine learning and artificial intelligence supported code analysis. They integrate well into risk management platforms and provide feedback to active control systems such as Web application firewalls.