The SANS App Security and Pen Testing Summit event was held in Las Vegas on June 2 and 3. As usual, it was a very well-organized event with a lot of good content. About 150+ enthusiastic attendees came to Sin City representing various sectors and companies. There were many useful panels with vendors like Breach, Cenzic, Core, HP, and Whitehat, along with expert & user panels consisting of InfoSec, Development and Q.A. professionals. Here are some of my high level observations: Confusion Between Vulnerability Assessment and Pen Testing The summit was divided into two separate sessions of Web Application Security and Pen Testing. Although the haze seems to be clearing, there's still a lot of confusion about the difference between vulnerability assessment (or management) versus pen testing. Some of the solutions out there overlap in these two areas. The simplest way I could explain the difference on my panel (pen testing) was that vulnerability assessment looks for all vulnerabilities in your applications where as pen testing is looking to exploit the vulnerability. More Awareness Needed Around Application Security There is still a lot more awareness required for application security. Many companies at the summit are doing nothing or just the bare minimum to get their applications secured. The good news is that these people were there to learn more and find out what they should be doing. And that's a great first step. WAFs Debate Debate continues on the role of Web Application Firewalls (or WAFs as they are fondly called) vis-à-vis Web Application assessment solutions. With the PCI 6.6 deadline looming, and the confusion around what organizations need to do, the debate was timely. I think the general agreement was that you need both. You need to find vulnerabilities by using a software solution, manual testing, or a SaaS player. Once you find vulnerabilities, there's no way you can fix them all in a short timeframe. So, how do you protect yourself? WAF can play an important role in that case. One of the critical issues is the investment required to configure the WAFs so you don't block good traffic so find the right solution that doesn't have latency issues and it's easy to configure. As I pointed out in my panel, that while testing in early in SDLC is important, it's critical to test all your Web applications including the ones that are already deployed and in production. Otherwise, it's like doing a partial heart surgery. Finally, it was refreshing to see all the competing vendors discussing and debating the topics in a professional and elegant way. Without Malice. As it should be. by
Mandeep Khera
Mandeep@cenzic.com | 
