Testing the water for web threats

Opportunities for web-penetration testing yet exist for resellers, argues Kathryn Harding

Harding: Hackers are turning to web-based attacks to penetrate business networks

With the economy barely keeping its head above water, organisations are more cautious about investing in IT. Understandably, "nice-to-haves" may not be a priority and even core investment areas such as security may be assessed primarily for their immediate value.

Web-penetration testing, we think, can deliver that value. Businesses must protect themselves from potential threats, and services that assess where a company might have security holes offer good revenue for resellers.

A consultant can test existing IT security for flaws or back doors. Companies can see if they need to change their approach or make additional security investments.

Web-penetration testing is widely seen by the industry as essential in security policy. Businesses may unwittingly open themselves up to threats as they change the way they deliver services and interact online with customers.

Benefits include increased productivity, as organisations can interact faster with third parties and customers; and cost effectiveness as well as access to new markets.

In a security report issued by IBM’s ISS security tools division, Big Blue claimed that 55 per cent of the 7,406 vulnerabilities tracked by ISS in 2008 involved web applications.

Three quarters of these were because the system lacked the requisite patches.

Since network security has matured, there are fewer opportunities to breach information systems through network-based vulnerabilities. So hackers are switching their focus to more vulnerable areas, such as web applications.

The initial investment to provide good IT security consultancy can dissuade many. It is true that a good security consultant should be completely immersed in the sector just to keep up with the evolving threat landscape.

Then there are the numerous accreditations expected of an IT security consultancy: the Council of Registered Ethical Security Testers; the CESG CHECK Scheme; or the CESG CLAS scheme for security consultancy advice.

That does not include the many standards to which one should comply, such as ISO 9001 (quality) and 27001 (information security management).

All these considerations ensure it has so far remained a niche gambit. Yet web-penetration testing does not have to be difficult – the testing industry is now far more accessible to resellers that, for example, partner a specialist.

Such reseller partners can improve customer satisfaction and retention, standing head and shoulders above the box shifters.

Kathryn Harding is professional services manager at Computerlinks