False Sense of Security

Are your security scans getting the coverage you need?

One of my posts on Application Security and Penetration Testing

Free Content on Jobs in Cybersecurity | Sign up for the Email List

This topic came to me by way of a recent penetration test. I faced a myriad of issues trying to scan a customer environment for the very basic security flaws that scanners tend to find. We always go beyond that to dive deeper into architecture and assess attack paths. But basic scanning is a solid place to start.

In this case, my scanner got repeatedly locked out almost immediately. Our contract and proposal state that for the best coverage and fastest results, clients should turn off rate-limiting tools for our IP addresses, as well as things that auto-block based on activity. That way 2nd Sight Lab can quickly and thoroughly scan for many known vulnerabilities. In this case, something on one of the sites was automatically locking out the account repeatedly.

Any experienced penetration tester will tell you there are ways around these types of auto-blocking tactics. They are excellent security controls for weeding out the script kiddies scanning the web with automated tools they pulled down from GitHub and are spewing across the entire Internet indiscriminately. So I’m not suggesting…