What are the most significant challenges involved in auditing website security today?
The challenges that an organization faces when auditing the security of their website are significant to say the least.
To start off with, it is a tough job trying to find the right people for the job. Web security requires a different set of skills. While there are many who claim that they are proficient in IT Security, they are often only referring to network security, which is a different kind of beast.
A web security auditor needs to keep himself up-to-date with the new web technologies, including updates to HTML, PHP and .NET, new web components that ease development, such as Node.js, updates to CMS and blogging software including WordPress, Drupal and Joomla, and updates to the web servers hosting the web applications.
While new web technology updates are always welcome, since they generally bring in new functionality and ease the development work, they often also include a new set of web threats. In addition to that, vulnerabilities are also often found within the existing components. HeartBleed is a very good recent example since it describes both scenarios. The bug was introduced as part of an update in OpenSSL, a library that was used in two thirds of all web servers and had been providing SSL functionality since 1998.
In addition, keeping up with and conforming to the various compliance regulations is a very demanding task. Apart from the fact that compliance documents are often written using legal jargon, which can be open to interpretation, they are often seen as promising more benefits than they can actually deliver. Various large, compliant corporations have had their site hacked too, leaving one to contemplate the regulations' effectiveness.
Finally, website security should ideally be part of the design of the site, however this rarely happens. Since most of the development work focuses on implementing 'cool' features, there is generally little time and budget left to secure the site before going live. There is always going to be a compromise between functionality and security, and unfortunately, a trendy site often takes precedence over a secure one.
What are the pros and cons of using remote vs. in-house security testing?
Remote ostensibly allows one to offload the responsibility and liability to third parties to some extent, but does it really? A business is always liable to its customers anyhow. It does however benefit from the expertise of the service provider, which is difficult to match in-house, especially for SMBs.
In-house requires building up in-house capability with its inherent costs but is it the best way to go? On-house security testing is usually a more active approach and therefore allows a better understanding of the company's infrastructure.
Generally speaking, hosted security testing solutions are easier to use and require the web application to be accessible from the internet. On the other hand, on premise solutions provide more control on the security testing parameters and are more flexible on the location of the test environment.