Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Looking Out and Looking In

rjhambrick ‎07-14-2014 08:30 AM - edited ‎09-28-2015 10:49 AM

As a Security Consultant on the Fortify On Demand Dynamic Test team, I spend a large amount of my time testing Internet facing applications for our customers. A few of our customers also have our team test applications that are in their internal network, as well. I applaud these customers, as it gives the customer the greatest level of application security for their assets.


You might ask, “Why test the internal applications?”  Recently a customer of ours was asked this same question by executives in their organization, and this customer asked me to explain why.  Here is how I responded:


The reason to assess your internal sites are two-fold:

  1. To protect your organization from internal, employee-based threats
  2. To protect your organization from the inevitable external threat that gets into your internal organization

Unfortunately, it is a security-industry standard that over half of all security breaches in an organization occur due to some type of internal employee action. Internal employee actions also cover actions by contractors acting as employees. The internal, employee-based threat has two parts to consider. These internal, employee-based threats can be deliberate actions by employees and/or unknowing actions by employees.


Deliberate actions by employees
An employee could ‘explore’ the network with a publicly available tool, or with the help of a reference book easily obtained from any book seller. The actions of ‘exploring’ may be from simple curiosity, or from malicious intent due to any variety of reasons. Corporate espionage and general employee dissatisfaction are two examples. Do you feel secure in the knowledge that your employees are happy corporate employees?


Attackers utilize unknowing actions by employees to gain access or information 
Your employees may be subject to social engineering, installing malware from the Internet, or other actions that leave exposure to an outside source (a computer in a public area that wasn’t locked while the employee took a break, for example). These unknown or passive actions by your employees can lead to exposure to an external threat.


It should also be considered that external access to your organization’s internal applications and sites are inevitable. We hear of examples of this often in the news. These access breaches can occur from deliberate actions by aggressive threats to penetrate the organization’s internal network or from the external exposure produced from the unknowing actions of your internal employees or agents.


Given that the exposure likely exists to your organization’s internal sites and applications, the question then becomes, “How secure are your internal applications and sites?”  Whether via internal deliberate threat, external threat via deliberate attack, or accidental exposure, the organization’s internal sites and applications are at risk. The question then evolves to, “What consideration is your company giving to lowering the risk of your internal organization’s sites and applications?”


We can see, with the recent breach of AT&T Mobile’s customer database, trusted agents of AT&T with access to internal assets, did in fact, take deliberate action, and compromised customer personal data. This is the most recent example of such a data breach. In an era of ever-increasing data exposure, internal network and application security review by a third-party should be the norm, not the exception.


Robert Hambrick, CISSP
Security Consultant
HP Fortify on Demand


About HP Fortify on Demand

HP Fortify on Demand is a cloud-based application security solution. We perform multiple types of manual and automated security testing, including web assessments, mobile application assessments, thick client testing, ERP testing, etc.--and we do it both statically and dynamically, both in the cloud and on-premise.

0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all