Why is it my credit card was disabled while I was on vacation, for me to come home to a generic letter from my bank stating that “some data loss has occurred” and that “for security reasons, a new credit card has been issued”?

The banking app I was using, in one way or another was probably owned, which resulted in financial loss for my bank, as well as a significantly less enjoyable vacation for yours truly. Other potential scenarios:

You log into your bank account, and all of your money is gone; the app used to access to your financial assets was owned.

You’ve noticed a sudden loss in clients, and a sharp gain in the success of one of your closest competitors; the app containing all your intellectual property and sales information was owned.

Your personal blog has become blacklisted by numerous antivirus software suites as an unsafe page; the app hosting your blog was owned.

But how, you ask? Many vendors of apps that you use every day pay top dollar for application security assessments from some of the brightest minds in the industry, so you’d expect that the security within these apps would be locked down tighter than the grease in your oven. So why is it that we continue to see (or feel) the pain of application compromises in the news and in our own lives?

In short, even some of the “best” in the security industry sometimes slip and fall when it comes to performing application security assessments. Assessing an application, in some ways, can be more of an art than a science.  While many apps use common frameworks and technologies, all apps are, by nature, unique. Running automated scanning tools, while useful, is simply not enough; unless the distinguishing features of each app are taken into account during testing, the assessment will not be complete.

In order to perform a true security assessment of an application, one must fully understand how the application is- and more importantly isn’t- supposed to work.  While many consultants may take a more blind approach in an attempt to simulate a “realistic” attack scenario, they are essentially cutting off their own hands; this would be analogous to a car mechanic trying to check your engine with the hood closed. To make the most efficient use of the consultant’s time that the app owner has paid for, it’s critical to take a white box, or open view, approach to the assessment, to ensure the consultant can understand the unique qualities of the application and focus their efforts in key areas. What key areas? Well, that’s the whole point; it depends on the application.

Each application assessment should begin by gathering information surrounding the application.  NetSPI then goes a step further by walking through this information and reviewing, step by step, the functionality and intended purpose of the application with a “master” user, typically a developer or application lead.  Through this master-apprentice model of learning, NetSPI is able to quickly gain knowledge of the intricacies of the application, as well as conduct an active conversation with the client to develop a test plan which focuses testing efforts on areas that would otherwise have been missed. Due to limited time and budgets, no test will run forever, so it’s critical to understand and focus testing on areas of the app that most significantly impact the underlying business processes.

So every day when you login to your bank account and the cash is still there, when another business day goes by without any blips, and when Uncle Frank and Aunt Marsha can still access your blog to see pictures of the kids without the old AV’s bells and whistles exploding, we can rest assured that somewhere, somehow, the app’s security has been verified through a true assessment… and if not? Well, we can at least know the bad guys haven’t cracked it yet. Or, uh, at least they haven’t targeted you yet.