24 04 2009
Why we should attack our own systems?
Web page that is not attacked by security team or developers and testers before going to live can be considered as unsecure because nobody knows how it behaves under attacks. Unfortunately there are many web pages that are not secure and not event tested with security in mind. If some of these web pages happen to be a e-commerce sites then it is not hard to guess what kind of data attacker may find in this system about us. How can we be sure that our systems are protected against attacks?
You can see here red dudes who are actively attacking the system that is developed
and maintained by blue guys who believe their system is safe enough.
As I have found out then the best way to make systems more safe is trying to attack them. Yeah, right, you write a system, put it up and then try to hack and attack it. If you have done something like this before you will be surprised how much hidden problems you can find out.
I had some training once where we were on the side of bad guys and we attacked different systems to get some data or gain control over server or system itself. It was very good experience because I had never attacked anything under guidance of pro who knows a lot of stuff about security. I suggest this kind of training also to you – if you know how your enemy thinks and acts you have much better chances to win the battle.
Of course, take these actions *BEFORE* going to public and also warn customers about security tests so you don’t scare s*it out of them.