On the subject of web application security and testing, Intology sat down with Yousif Yalda, founder of Vulnerability Assessments and Penetration Testing (www.vapt-sec.com). He is a former Kaspersky information security officer and has wide experience in this field.
[..]
Inology
First of all we would like to thank you for taking the time to talk to us.
Our first question is: what is your opinion on the overall state of web application security in the world?
[..]
Yalda
Firstly for phishing, you should try to analyze every URL you visit, or will visit, so that you may know where it is really taking you. Using Firefox, is one of the easiest decision you can make to help
prevent these forms of attack. Currently it cannot be stopped 100%, but Firefox does try to discover patterns in the attack, and alert you if an attack is suspected. CSRF can be prevented by simply
downloading an add-on to Firefox called `No Script'.
This will help prevent against both XSS (Cross-Site Scripting) and CSRF attacks by stripping the parameters out of any POST request generated by a suspicious site. I.ll leave the technical stuff out, because that.s for us to take care of.
[Yousif doesn't fully understand CSRF attacks. Simple CSRF exploits do not rely on any type of script code, they rely on the trust relationship between a user and their browser along with the authentication maintained with an application. A CSRF attack does not even require a POST request, as it can be performed with a single GET request depending on the application. Firefox with the 'No Script' add-on will not protect against that.]
[..]
Intology
For what organizations is web application security a concern?
[..]
Yalda
It's important to remain a well-respected organization by not dishonoring your users. online experience by undergoing maintenance due to a security breach. It.s also vital that anyone who seeks for
recognition for whatever the cause may be, whether it.s developing research, or simply building a web presence, continues to do so without facing humiliation through the means of disruption of service.
Plus, if a brand provides a product and/or a service, then it.s fair to say that if it has been compromised, it will be less-trusted, and thus decrease consumer confidence and furthermore degrade the
company.s value in production.
[Interesting since Yalda's company, V.A.P.T. Security isn't available due to hosting issues: yalda03-vapt-sec.com.png]
[..]
Intology
What services does V.A.P.T provide and how it differs from other providers?
Yalda
We provide web application security and penetration testing. We use this process to find vulnerabilities and exploits within a web application and an operating system to determine where flaws exist, and
then we venture to patch those insecurities. We differ from other providers because we don.t depend solely on tools to find issues, rather deploy manual techniques in affiliation with automated tools to
grasp a scope as the total solution for web application security.
[This is not different in any way, as hundreds of penetration testing firms have been using a combination of automated and manual testing for over two decades.]
[..]
Intology
Where do you think organizations normally lack in terms of web security? What are the main areas they neglect?
Yalda
[..] Also, they tend to ignore people who report security issues, and thus shove away the security reporter to publish the problems to the public. Another problem is choosing who has access to what
information. They also put aside the fact that most of the time when security researchers report flaws; they are doing you a favor. Instead, some company.s will prosecute you and take legal action as if
you were causing harm.
[Yalda doesn't appear to understand the legal system or the history of problematic vulnerability disclosures. While several companies have threatened researchers, they are threats. A commercial company can file a law suit against a researcher, but they can not prosecute anyone.]
Intology
How are you evolving in terms of new techniques like AJAX?
Yalda
V.A.P.T. has staffs that are experts in understanding AJAX and know how to defend against its flaws. V.A.P.T. uses White box testing as a process to find and cure mistakes made by performing code
overviews, debugging, and path testing for input and output. We modify data in terms of values, parameters, and strings to make sure the data is handled securely. We also consult in providing tips to
allowing for dynamic content to stay user-generated to keep features in availability, but not to be abused in any fashion.
[Even after referencing a link to his blog "discussing AJAX", his answer has nothing specific to AJAX.]
[..]