Putting Products to the Security Test

eWEEK Labs recommends best practices, tools and strategies.

Effective security testing of new IT products is constrained by staff shortages, inadequate equipment and crunched time—in short, by a scarcity of resources. But even with all these hurdles, security testing can—and should—be done and done well.

eWEEK Labs has access to some of the most advanced test gear, expertise and vendor support available, but many of our test practices can be modified and implemented in resource-constrained IT organizations.

In a manner of speaking, weve taken some of our security testing "recipes" and adapted them for use in a production IT department. The result is a soup-to-nuts collection of testing practices, as well as recommendations for useful security testing tools.

The good news is that nearly every security test practice is in step with the process of tuning systems and applications for optimum performance. The reason for this is simple: IT staffers must become at least advanced administrators of any system if they are to run meaningful tests on it, and, along the way, they will learn about more advanced performance-tuning techniques.

Be it here in our Labs or in an enterprise testbed, planning is the key to achieving meaningful results. Taking the time to plot out a course of action—and, in the process, anticipating and avoiding potential pitfalls—is a must.

One of the most effective tools that IT managers can use today—and use as the basis for all subsequent security and other testing—is a network diagram.


Click here

for a diagram charting eWEEK Labs current test network.

Microsoft Corp.s Visio and SmartDraw.coms namesake utility are two good diagramming tools. Regardless of which diagramming tool is used, updating the diagram is a key part of the IT change management process.

eWEEK Labs recommends that IT managers start security testing as part of product implementation and user training. This is a good way to reduce the cost associated with security testing alone while gaining the same result—expert knowledge of a products strengths and weaknesses.

One way in which this naturally happens is with the creation of administrative accounts for applications.

Although it has been a long-standing recommendation of eWEEK Labs to change any and all default accounts and passwords, it is equally important to track these changed passwords and any ACLs (access control lists) that are modified to accommodate new products.

To correctly create these new accounts, IT staff must fully understand the privileges needed by these accounts. This process is often a view into the soul of any application, large or small.

There are many new and updated password management tools that can help IT managers track these user credentials across the enterprise. eWEEK Labs will be evaluating several of these, including new tools from RSA Security Inc. and Vintela Inc., in the coming weeks. When we test the security of these tools, we will also determine whether additional IT resources will be needed to manage user privilege information.

Security testing also requires using a range of penetration tools that emulate and automate hackers actions. Many of these tools are widely available and at no cost. However, learning to use the tools effectively means investing at least several hours per week on an ongoing basis.

Indeed, we have long and often used Nessus to probe for weaknesses in products under test and Nmap to scan for open ports required by applications that we are testing, but we are constantly learning new ways to use these tools.

These and many other tools can simplify security testing, but applications and systems often are too complex for a single test tool to fully reveal all vulnerabilities.

Next page: Complex systems.