“So What?” — Telling the Business Story of Security Vulnerabilities

“So What?” — Telling the Business Story of Security Vulnerabilities

Contextualizing Security Vulnerabilities. As a former penetration tester turned product-focused security professional, one of the most important things I’ve realized is that translating security risk to business impact is crucial in making your work resonate.

Contextualizing Security Vulnerabilities

As a former penetration tester turned product-focused security professional, one of the most important things I’ve realized is that translating security risk to business impact is crucial in making your work resonate. Often times, the buyer of whatever security offering you’re selling will not care about the granular details of vulnerabilities your tool or service is able to uncover. For security analysts on the front line, contextualizing the “so what?” with the buyer will help build trust and leave a lasting impression.

Stepping into the world of web application security, let’s take a look at some of my favorite vulnerabilities to test for and how each can be succinctly translated to an executive. For these examples, I’ll assume we’re working with a banking client.

SQL Injection

The Technical Story

“I came across functionality within your website that looked to be housed on top of a back end-data store. I crafted SQL injection payloads that returned metadata pertaining to the backend database in the HTTP response body. I then used the technology disclosure to enhance my payloads and enumerate database columns, ultimately extracting and viewing data pertaining to client accounts that I am not provisioned to see.”

The Business Impact

“Your website is vulnerable to SQL injection, which means I can manipulate the database that stores banking accounts you manage. If news were to break that attackers can extract sensitive client information with a few clicks, you’ll ruin the trust you’ve built, and they’ll look to take their business elsewhere. Less clients means less revenue, which means less profit.”

Cross-Site Scripting (XSS)

The Technical Story

“I came across functionality within your website that appears to render unsanitized payloads in the HTTP response body. The page is rendered in HTML, so I injected an XSS payload by closing an open script tag, opening a new one, and including JavaScript that steals the user’s session token (). This proves that an attacker can embed malicious JavaScript into the application by taking advantage of missing input sanitization and/or output encoding.”

The Business Impact

“Your website is vulnerable to Cross-Site Scripting, which means I can make your users do things they weren’t intending to. With one click, attackers can redirect them to a site of their choice, steal their username/password, or deface your website entirely. If a successful attack is carried out, you’ll likely be in the news, and your users will lose trust in you quickly. Aside from reputational impact of prospective clients, your current clients will think twice before using your website again, which could lead to lost business.”

Clickjacking

The Technical Story

“Your website does not set the X-Frame-Options header in its HTTP response. I was able to render your website into an HTML frame or Iframe tag and steal the clicks of users. Even worse, I was able to do so on the login page and implement a keystroke logger, allowing me to capture the victim’s keystrokes when he/she entered their username and password.”

The Business Impact

“Your website is vulnerable to clickjacking, which means users’ clicks and keystrokes can be easily captured by an attacker. If an attacker set up a spoofing site, he/she could make it look exactly like yours on the surface and steal the clicks and keystrokes of your clients. If your client entered his/her username and password on a spoofed login page, the attacker would gain possession and could theoretically log in to your real website as your client. Your client would be upset if this happened, and you’ll likely lose their business.”

owasp penetration-testing ethical-hacking web-security cybersecurity

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Ethical Hacking & Penetration Testing | Penetration Testing Tutorial

This video on Penetration Testing covers the fundamentals of Penetration Testing, what is and why Kali Linux, phases of Penetration Testing, areas of Penetration Testing, Penetration Testing tools, and demos on hacking attacks. You will get to know about different types of attacks and tools that hackers use to attack. Finally, you will see interesting demos using these tools and how to hack ie. Metasploit Attack

Web App Ethical Hacking - Penetration Testing Course for Beginners

Learn Web Application Penetration Testing - Penetration Testing Course for Beginners. You will learn pentesting techniques, tools, common attacks and more. The tools covered in the course include Burp Suite, Nikto, Dirbuster, curl, sublist3r, nmap, and many others.

Top Security Penetration Testing Companies

Cybercrime is one of the world’s fastest-growing threats, with malicious actors constantly elaborating their methods of undetectable intrusion. According to Verizon’s Business 2020 Data Breach Investigations report, there has been a 100% increase in web app breaches, and stolen credentials were used in more than 80% of these cases. These statistics are worrying for many businesses that actively move their processes to the cloud and deal heavily with customers’ personal data.

OWASP Top 10 API Security - DZone Security

Take a look at the top 10 OWASP security risks, learn what each of them means, and how you can mitigate them.

Web Application Ethical Hacking - Penetration Testing Course for Beginners

Learn web app penetration testing. You will learn pentesting techniques, tools, common attacks and more. The tools covered in the course include Burp Suite, Nikto, Dirbuster, curl, sublist3r, nmap, and many others.