You had it planned from the beginning. There was no way you were going to fall prey to the mass of web based threats constantly pounding poorly written web applications. So when it came to rewriting your legacy web application, you knew security couldn't be an afterthought. You brushed-up on OWASP. Maybe you read Microsoft's Threats and Countermeasures Patterns and Practices series. You even purchased a web application vulnerability scanner to periodically scan the application and identify not-so-obvious XSS and SQL injection bugs. By the time the app was moved to production, it was bug free. Well done!
So now what? Pat yourself on the back for writing an application that is secure by today's standards. Now keep testing your software. That's right -- keep scanning your code. Metaphorically speaking, today your application has a 10 foot wall built around it. Tomorrow, someone could raise an 11 foot ladder, and poof! You're owned.
Once you stop scanning, you're making one or all of the following assumptions:
- Malicious Hackers have lost interest in web application exploits. No new vulnerabilities will be discovered. Ever.
- Microsoft/Apache/Oracle/IBM[Insert your platform here] have found all the possible holes that could ever exist in their code. Like you, their code is now secure. They're patting themselves on the back as you read this.
- Somehow, you'll know when your app is vulnerable. It won't happen, but if it does, you'll know.
Sounds pretty crazy once you read it, but take your pick. Here's bottom line. Hackers will never stop looking for ways to defeat security -- it's what they do. New vulnerabilities are found -- daily. And, yes, you will know when your application is vulnerable -- once it's been hacked.
Keep assessing your application periodically. Keep your scanning software up to date. Your web app security vendor has a team of researchers that scour the Internet for emerging threats. They stay ahead of the curve, keeping a look-out so you don't have to.
Security is a journey, not an event. Nor is it a tool you use once and forget about. Malicious Hackers won't stop hunting. So, you shouldn't stop assessing.
....Si
