The new weakest links
By Joab Jackson
Web apps are rife with small vulnerabilities that can open the door to big trouble.
Thinking like a hacker can help you find them.
Kevin Johnson doesn’t strike you as someone who could break into your network and wreak
havoc with your organization’s data. He looks like a friendly guy, a jovial family man quick to crack a
joke. But don’t be fooled. No matter how many precautions you take or how closely you monitor your
equipment, he can get inside.
Luckily, Johnson, of the security consulting firm Intelguardians, is not a malicious hacker. He is a
penetration tester, a security professional whom organizations pay to break into their networks to expose
weaknesses. He always finds some.
Johnson is also an instructor at the SANS Institute, a cooperative research and education program that
offers in-depth information security training to information technology professionals. For five days in
January, Johnson led Security 542.1, “Web Application Pen-Testing In-Depth,” in New Orleans. There,
in front of a class of 20 IT professionals, he walked through the process he uses to gain entry into a Web
application and revealed some tricks, at least those not too sensitive to talk about. More important, he
revealed the mind-set of the attacker.
It’s a mind-set all security professionals should know. If you think that Web application security is just
something your Web development team should worry about, think again. Web applications are the
weakest links in the enterprise today. They can actually be the first foothold in an attack on internal
networks and systems, especially those systems with more sensitive data.
And the remedy involves more than patching all the systems and watching for vulnerabilities. It also
involves knowing how an attacker thinks — how he or she will use anything to gain a foothold and,
once in the enterprise, exploit that for further access.
“Usually it is very, very quick to find one major vulnerability,” Johns