1 – New Application Frameworks
Ethical hackers should be well versed in Node when testing such an application. While traditional web application attack vectors remain the same, there are several critical caveats every pen-tester should be aware of. More information about NodeJS can be found at the project website: http://nodejs.org/ A great place to begin Node application security is the Node Security Project.
2 – Preventative Measures
Professional ethical hackers should understand the full implications of CSP. While some may wish to recommend the use of such policies as part of a vulnerability assessment, it should at least be understood by those conducting a vulnerability assessment. In addition to CSP, HSTS and X-Frame-Options should also be given strong consideration.
3 – NoSQL
NoSQL databases are simple and fast data stores which remove traditional constraints of relational databases. This less structured model favors speed and scalability over complex relational models. As a result NoSQL has flourished in big data industries but still growing in smaller applications. NoSQL provides little in terms of security at the database level and relies greatly on security at the application level.
4 – Expanding HTML5
HTML5 extensions are under active development and introduce a constant expansion of security concerns. Even the core HTML5 specifications which include extensions such as local storage, websockets, and CORS, are not always well understood by security professionals. At the time of this writing, many popular security tools still do not yet support interaction with websockets. This leaves a strong possibility that vulnerabilities nested within these technologies may go undiscovered by novice security testers. Ethical hackers must devote significant time to research these technologies and understand the full range of security implications each one requires.
A list of some draft extensions can be found at the following URL: http://www.w3.org/html/wg/wiki/ExtensionSpecifications
5 – Bug Bounties
Large organizations with applications that face intense public exposure may benefit from running a bug bounty program. These programs reward independent security researchers for finding vulnerabilities on an individual basis. By offering a reward for each vulnerability found, they create a much greater incentive to responsibly disclose vulnerabilities rather than exploiting them for profit. These programs have already seen great success with large organizations such as Google, Twitter, Facebook, and now Yahoo!
One new company, Bugcrowd, has brought this testing model to companies which may not have the resources to handle such programs themselves. This type of security testing model can be difficult to manage and may incur significant false positives from less skilled ethical hackers. By providing vulnerability verification and payment services, Bugcrowd allows much smaller organizations to benefit from this type of testing.