The One Web Security Testing Oversight You Don’t Want to Miss

As I’ve written about scoping your Web security tests in the past, it’s not something to be taken lightly. Interestingly, there’s one aspect of Web security testing where I’m still seeing a big disconnect. The issue is how many critical Web systems are being dismissed (“That one’s going away soon.” and overlooked (“Oh, yeah, I forgot about that one!”) and aren’t being tested.
Whether you’re scoping Web security assessment for your own business or for your external clients, you’ve got to make sure that everything of significance is included in your projects. Even if you’re in charge of everything at a small shop, it’s easy for a system here or there to fly under the radar.
Some Web systems you can’t afford to not test include:

Staging and development systems that are slightly-outdated mirrors of production (and often process  actual production data)
Extranet/B2B systems
Customer service sites
Support portals
Content management systems
Websites and applications running on separate, non-standard domains
Websites and applications hosted by third-parties that you’re still in charge of

Just when you think you’re looking at all the right systems in all the right places, you’ll no doubt come across one or more that you either weren’t told about or have forgotten about.
Ensuring you’re including everything in your Web security testing projects is like ensuring (continue reading...)