Interview: The Challenges of Security Testing

Paladion
By Paladion

December 15, 2005

Palisade spoke to Vinod Vasudevan this week to understand the challenges professional penetration testing teams face. As CTO of Paladion, Vinod is responsible for the quality and effectiveness of the tests.

Security Testing

Palisade spoke to Vinod Vasudevan this week to understand the challenges professional penetration testing teams face. As CTO of Paladion, Vinod is responsible for the quality and effectiveness of the tests.

Palisade: Vinod, how about giving us some background on the security testing work you do.

Vinod: Sure. We are called in to test different kinds of apps - online banking, trading engines, supplier extranets, eCommerce sites, etc. We have 40+ engineers who dissect the application, find out security holes and recommend solutions. The team size for a penetration test varies between one to three depending on the size and complexity of the application. In the last 3 years we tested about 500+ applications.

 

Palisade: Great! Tell us what’s keeps you awake at night when it comes to Security Testing.

Vinod: (laughs) First, what I do like about security testing is that the customer is really happy when we discover holes before attackers do. So the challenge really follows from that. How do we ensure that every single test we do is comprehensive and meets the highest standards of quality? How do we ensure that a test does not miss out a vulnerability? We just can’t afford to have an adversary discover a hole we missed.

As we say here “For the attacker, one hole is enough. For us, every one.”

 

Palisade: How do you consistently ensure high quality then?

Vinod: Right, we attack the issue in multiple ways: First, every pen tester goes through an identical training program focused on developing the skills a pen tester needs. Second, we continuously refine our checklists. The checklists are the distilled knowledgebase our teams work with – new insights from each test are fed back in to improve the checklists. We also refine our methodology at every opportunity. Today, for instance, we have a lot more automation than 2 years ago. All these aid consistency. We also have a system of quality checks and reviews to spot errors in testing.

Customer feedback has been quite important too. Though it comes after the test is over, it often validates how exhaustive the testing was. Frequently, we’ve had customers ask us to test an application after it has already undergone one or two rounds of testing and fixing. They don’t expect to find anymore easy vulnerabilities. It’s how well we perform then that tells us if we are able to deliver high quality, consistently.

 

Palisade: How much does individual brilliance play a role in security testing?

Vinod: As in other walks of life, individual creativity and smart thinking are assets to a tester too. That, however, is not the basis for a high quality test. Professional security tests are the result of disciplined, systematic work. The application has to be thoroughly understood, a Threat profile has to be modeled and Test cases developed. Strong thought has to go into recommending practical solutions. A blend of creativity, discipline and a strong work ethic is best.

 

Palisade:  Have you had customers find holes that your team didn’t catch?

Vinod: I hate to admit it, but yes there have been instances our team missed out a hole. It’s been rare, but it happens. Feedback like that forces us to re-look at our testing methods and figure out why we didn’t catch it.


Tags: Features

About

Paladion

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset