The importance of testing “less critical” web systems

When it comes to security oversight, I’m a big proponent of focusing on the things that matter. These are your highest payoff areas – otherwise known as your most urgent vulnerabilities on your most important systems. I learned this concept while studying time management and I found that it applies to so many other things in life and business. This approach is essentially the Pareto principle or 80/20 rule. The 80/20 rule shows that by focusing on the relatively small number of items that are creating most of your risks, you ensure that your time, money, and effort are properly invested. 

So, what does this have to do with application security? Everything! Many people are focused on testing and securing their core websites and applications, which is a good thing. However, challenges start to emerge when all the focus is on these seemingly most important systems to the detriment of everything else. Many people are quick to say that lower priority web systems such as marketing sites, microsites, and even test and staging systems don’t have anything of consequence and, therefore, don’t need to be tested. But they do… at least some of the time.

The reason why it’s so important to test these less critical web systems is that they often have big vulnerabilities. With big vulnerabilities come big consequences regardless of the system being exploited. In testing a myriad of low-value systems in my work, I often come across flaws rated as critical or high such as:

• Missing OS, web server, and application patches
• SQL injection
• Cross-site scripting
• User account enumeration
• Weak passwords 

These are a big deal because they can do one of four things:

1. Provide unauthorized remote access to network or cloud environments
2. Facilitate the spreading of malware or other client-side exploits
3. Put sensitive information at risk
4. Create intangible risks to the business’s reputation

I’m often asked to skip these less critical systems when I’m scoping web vulnerability and penetration testing projects but I do my best to convince my clients not to. And it almost always pays off in terms of finding something big. Not because I’m that good – I just use good tools and know where to look to find the big items. 

Even if you just test your less critical web systems once per quarter or a couple of times a year, you’re going to set yourself and your business up for success. I stand by the importance of focusing on your highest payoff tasks in security. Still, knowing what we now know about web security, there’s no reason to not test all your systems… eventually, especially those that are public-facing. There’s too much to lose and too much risk in it all making you look bad. Often all that’s needed is a simple scan to find the low-hanging fruit.