Wednesday, May 29, 2013

Penetration testing must be a part of the your web strategy because all it takes is one malicious attack....

If, like most people that grew up in the late 20th century, you are a Bill Watterson fanatic – Then you will surely remember getting a kick out of this (pun intended). http://bestofcalvinandhobbes.com/2011/10/a-swifty-kick-in-the-butt-is-for-sale/


While the humor in these is sufficient reward, many times you can draw on Bill’s caricatures for real life learning. In this case, I immediately associate it with any company that has an online presence but is not conducting periodic sweeps of its website to test its own vulnerability. Obviously “a kick in the butt” is not an academically precise comparison but it’s a start and maybe just what the doctor ordered. 

While CTO’s are aware of increasing vulnerabilities to their websites, they are content with the “I have never been hacked, so why should I care?” philosophy. To this line of thinking, I rebut with “All it takes is once”.

If you hold customer information, you have an obligation to be pro-active in plugging holes within your portal. If you lose client confidential information once, you lose much more than immediate revenue. You lose trust which will affect future streams of revenue. Negative publicity spreads way faster than compliments. The only reason this will not bother you is if you are a one-man tea stall on a lonely road with no ambition whatsoever to grow. In that case, may I ask what you’re doing online? 

While following standards in secure web design will get you most of the way there, smarter people will inevitably find a way around it. In comes “penetration testing”. HackVidhi’s super smart team of programmers are standing by to get their hands dirty by “ethically hacking” your website before malicious hackers get a chance to.  

Penetration testing is not typically a scripted model. There are no clear steps 1 and 2 and 3 to follow. It’s a skill that’s learned over multiple hours of reading, experimenting and …you got it, ethically hacking websites. To boot, you cannot be an ethical hacker without already being a web designer. Consequently, this team is already well versed with web design and can school your web design team on establishing best practices and check points for secure design. 

If this has somewhat caught your attention and you have another 2 minutes before those pop tarts pop in your microwave, go on to http://hackvidhi.com/PenTesting.php for a pictorial overview of our services and shoot us an email for a free first round of penetration test. You have no obligation to continue, you get a free report outlining the first couple of issues found (if any) and you now have a better idea of how your web design will hold up to intrusions. If you do see value in our services, we will contract with you for periodic penetration testing and function as an extension to your current development and test team. Our paid services can also serve as part of your audit needs to showcase that you are taking necessary steps to protect your private data and those of your clients.

If you have any questions or want to get started simply shoot us a quick email here - contactus@hackvidhi.com

Monday, May 13, 2013

In-house Penetration Testing vs Outsourced Penetration Testing



For the management of a company with online presence, web security is a big concern now a days. Pen-testing is a way of finding security loopholes in the website. From the management point of view, the biggest doubt about pen-testing is -


Shall we develop our in-house pen-testing team or shall we outsource the testing? Is it worth developing in-house pen-testing team?


We, HACKViDHI, strongly recommend you to outsource the pen-testing work instead of developing your own pen-testing team, following are couple of worth mentioning points explaining why you should choose outsourcing -



In-house Penetration Testing
Outsourced Penetration Testing
Frequency of full penetration testing cycle
Penetration testing is often not needed as frequently as functional testing. A simple bug fix might need a complete round of functional testing while the same big fix might not need a complete penetration testing cycle.
So having an in-house penetration testing team might be overkill as the penetration testing team will only be needed from time to time.

When it comes to outsourcing penetration testing, you will outsource it only when you will need it. This will lead to reduced cost estimates.
Penetration testing toolkit
Penetration testing involves using some automated tools along with manual efforts. In-house team needs to buy or develop all such tools or softwares in order to proceed. This means investing significant amount of time\cost in order to prepare penetration testing toolkit.
On the other hand if you are outsourcing it, the vendor company should already have the required toolkit. Since they will be reusing this kit for all their clients, they will charge you less than what you would have invested it to prepare the same kit.
This fact, again, will lead to reduced cost estimates for pen-testing.
Experience does matter
In-house penetration testing team will know only about the issues that have been found in previous releases of the website, they will not be having any idea about what other prevalent issues are going on in other websites as the team has limited exposure.
This can lead to ignoring some important vulnerability while giving extra attention to the vulnerabilities found in last release.
The vendor pen-testing company has exposure to lots of type of security issues as they have experience of testing different type of websites. So they have idea about the hot issues with latest tools and technologies.

This will lead to quality results with proper emphasis to proper type of issues.
Learning new attack dimensions - training cost
Penetration testing is a continuously emerging field as new threat vectors are being discovered each and every day. In-house penetration testing team needs to be aware of all advancements in the field of web-security; this means the team will need continuous trainings and learning resources. These trainings will require signification amount of investment.

Investing in trainings will be costly for the vendor company as well but they will be using the knowledge gained from those training for the benefit of multiple clients. So while giving cost estimation for pen-testing they will be splitting the training charges.
For you, this is again a cost saving fact.
 

If you are from an e-commerce domain, or are associated with online business in any manner, it is imperative to you to make sure that your business and your customers information is in safe hands. With HACKViDHi penetration testing services, you can find out the vulnerabilities of your online business and, using our consultation, can work towards fixing them up so that you can save your business and customers information from exposing.

To know more, contact us by e-mailing us to contactus@hackvidhi.com or visit our website for a free trial  at http://www.hackvidhi.com and we will get back to you. 



-Archana


Top Web Security Threats

Here is our presentation on top security threats in the field of web application development -

This presentation also talks about the impact on the website if any of those threats are exploited. The presentation does not cover technical details of the threats, it focuses more on business impact.


-Archana