Just a little rant.
Often, if a security consultant is asked to perform asked to perform a VA/PT (the difference is a whole topic for another day) for a customer in a number of man-days. Obviously, as with most service based deliverables, one quantifies work in the time spent on it. Hours, or -more often- days. But this creates a false sense of security. Time spent is not the right yardstick.
When dealing with a business deadline (i.e: the app needs to be released today, the new portal needs to be pushed next week, …), we often compromise on security; and treat the security audit, or va/pt if you like, as a checkbox:
oh, no critical and/or highs? we’re good to go. We’ll fix the rest later
And that is bad for two reasons:
- The rest is never fixed
- You’re ‘protected’ against whoever spends X amount of time on it
This is, in my opinion, why programs such as Bug Bounty programs are so effective, and essential for any organization. Yes, you’re tongue-in-cheek giving attackers the green light to assess your security, but you equally get an assessment 24/7, not limited on time.
After joining Microsoft, I’ve been very involved in some of the Bug Bounty programs MSFT offers, and most of the “juicy bugs” (the real eye openers) are the result of days, weeks and sometimes even months of testing, failing, and retesting.
If you have internal (technical) information security staff, embrace the notion of continuous testing. Yes, some properties need to have a checkbox being assessed before going life, but don’t let anyone stop there. If you don’t have the internal muscle power, embrace a bug bounty program. There are several clever minds out there who would uncover sometimes hard- to find bugs, because they like doing so.