Sorting through the compliance alphabet soup
Awareness of web application security and the consequences of potential breaches is growing, and that’s a good thing. Customers, business partners, management, and regulators all want to know if your applications are secure – but how do you demonstrate this? To establish a common baseline, various organizations have created their own information security checklists. These vary in scope and purpose, from best-practice web vulnerability classifications to comprehensive guidelines for high-risk industries like payment processing.
Invicti provides a rich set of built-in checks and reports that cover web vulnerabilities relevant to the most popular classifications. The following compliance reports are currently available out-of-the-box:
- AppSec best practices: SANS Top 25, OWASP Top 10, OWASP API Top 10, WASC Threat Classification, OWASP ASVS 4.0
- Regulatory compliance: ISO 27001, PCI DSS, HIPAA
- Federal government requirements: NIST SP 800-53, DISA STIG
All these are discussed in detail below, but before diving in, let’s take a quick look at the practical side and the whole purpose of compliance reporting in application security testing.
Getting the best out of predefined compliance reports
More than anything else, security standards and classifications provide a common language for talking about web application security. For example, instead of listing all the data security procedures they follow, organizations can simply say they are PCI DSS or HIPAA compliant. Likewise, customers evaluating web application vendors might ask about OWASP Top 10 compliance instead of listing all the major vulnerabilities that vendors are expected to test for and prevent.
Having predefined compliance reports in Invicti is a real time-saver and eliminates the need to manually find and configure all the required checks and reports. For PCI DSS reports, you can even officially confirm compliance with just a few clicks without the hassle of separately approaching an approved scanning vendor. Built-in reports also help to ensure that you are always following up-to-date specifications for common industry standards.
One thing to keep in mind is that, by their very nature, compliance reports only cover a limited subset of the many hundreds of security checks provided by Invicti, so being compliant is not always the same as being secure. For example, if you generate an OWASP Top 10 report from a scan, it is possible that you will see no issues in that specific report, even if the scan finds many other vulnerabilities not covered by the OWASP Top 10. For this reason, the built-in reports are best treated as a baseline and a starting point for defining customized scan policies to optimize vulnerability scanning.
Security best practice compliance reports
Probably the most popular and widely recognized reports relate to accepted industry best practices around application security testing, most notably those defined by OWASP. In the context of web vulnerability testing, compliance with such classifications means that you are testing for all the major vulnerabilities, which (if combined with remediation and prevention) gives you a solid application security baseline. Note that many categories in best-practice documents don’t directly apply to automated security testing, so the built-in reports in Invicti only cover the subset relevant to vulnerabilities.
OWASP Top 10, OWASP API Top 10, OWASP ASVS 4.0
The Open Web Application Security Project (OWASP) maintains and periodically updates many security classifications and guidelines, including top 10 lists and proposed industry standards. Invicti includes reports for three of these:
- OWASP Top 10: A list of the top 10 classes of web application security risks. It is not an official standard or even a detailed specification but rather an awareness document that provides a yardstick for secure development. The OWASP Top 10 was most recently updated in 2021, and this report version is available in Invicti alongside reports for 2013 and 2017 editions.
Learn how to generate OWASP Top 10 reports in Invicti
- OWASP API Top 10: Web APIs are a fundamental building block of modern software and the gatekeepers of the world’s data, which makes web API security a crucial consideration. While many of the OWASP Top 10 security risks also apply to APIs, OWASP has put together a separate classification of API-specific weaknesses.
Learn how to generate OWASP API Top 10 reports in Invicti
- OWASP ASVS 4.0: Top ten lists and similar classifications can be treated as general web security guidelines but are not designed as comprehensive standards. The Application Security Verification Standard was developed by OWASP as a rigorous and clearly defined security checklist to help in the design, development, and maintenance of secure web applications.
Learn how to generate OWASP ASVS 4.0 reports in Invicti
SANS Top 25
The Common Weakness Enumeration (CWE) is a repository of software and hardware security weakness types. Based on the CWE database, the SANS/CWE/Mitre Top 25 gathers the most common and dangerous software errors. Note that while the OWASP Top 10 also uses this data, the SANS Top 25 applies to software security in general, not only to web applications. The SANS Top 25 report in Invicti covers web vulnerabilities that correspond to listed security weaknesses.
Learn how to generate SANS Top 25 reports in Invicti
WASC Threat Classification
Though less prominent than OWASP, the Web Application Security Consortium has been developing its own classification of web risks for over a decade. This is built around vulnerabilities to specific attacks as well as more general weaknesses, making it another useful way to approach web application security.
Learn how to generate WASC Threat Classification reports in Invicti
Regulatory compliance reports
Two information security certifications that are essential for many companies are PCI DSS (for payment processors) and ISO 27001. Invicti comes with built-in reports covering vulnerabilities relevant to these requirements to give you a head start in preparing for official certification. For PCI DSS, you also have the option of getting a full ASV report.
Developed by the PCI Security Standards Council, DSS is an information security standard that defines 12 data security requirements for companies that handle payment card transactions using web applications. It is a mandatory compliance requirement for payment processors and the de facto security standard for the e-commerce industry.
All versions of Invicti include general PCI DSS compliance reports alongside other reporting options. These can help to identify problem areas and remedy issues, but they are not official documents and do not certify compliance. However, Invicti also works with a PCI Approved Scanning Vendor (ASV) to give Invicti users the option of running a dedicated PCI DSS scan and getting an officially approved compliance report. To do this, select the dedicated PCI scan option (this is different from a regular PCI scan profile) and once the scan successfully completes, choose one of the available reports.
Learn how to generate PCI DSS compliance reports in Invicti
The approved PCI scan feature is only available for Invicti Enterprise on-demand and for websites with the agent mode set to Cloud.
The ISO 27001 standard describes requirements for information security management systems (ISMS). More specifically, it lists the controls and objectives to increase, develop, and manage data security. It is widely used to certify that organizations meet the requirements for safely storing and processing confidential data, including financial information, intellectual property, and personal information.
Invicti includes an ISO 27001 compliance report that covers vulnerabilities relevant to information security management. While this report is for information only and does not by itself certify ISO 27001 compliance (as this requires a full ISO certification process), it is an essential starting point on the road to getting certified.
Learn how to generate ISO 27001 compliance reports in Invicti
Healthcare institutions in the US are subject to the Health Insurance Portability and Accountability Act (HIPAA), which defines the requirements for the secure storage and processing of medical and personal data by healthcare providers. With medical organizations now a major target for cybercriminals, HIPAA compliance is vital not only to avoid fines but also to protect patient data and prevent costly breaches and downtime.
Invicti comes with a built-in HIPAA compliance report. Again, note that this report is for information only, allowing organizations to identify and mitigate issues before seeking official HIPAA compliance certification.
Learn how to generate HIPAA compliance reports in Invicti
Federal government compliance reports
US federal agencies and companies dealing with them are subject to a wealth of information security regulations and requirements. Invicti’s built-in compliance reports include NIST SP 800-53 as a general security benchmark and DISA STIG specifically for DoD requirements.
NIST SP 800-53
Among its many standards and guidelines, the National Institute of Standards and Technology (NIST) has created Special Publication 800-53 as a catalog of information security standards and guidelines for federal information systems and organizations. This is a universally recognized information security management standard, and compliance is a requirement for companies doing business with US federal agencies. The NIST SP 800-53 report in Invicti covers web vulnerabilities within the scope of this publication.
Learn how to generate NIST SP 800-53 reports in Invicti
The Defense Information Systems Agency (DISA) under the US Department of Defense publishes Security Technology Implementation Guidelines (STIGs). Through STIGs, DISA defines and maintains security standards for computer systems and networks that connect to the DoD. While many different STIGs exist for various systems and purposes, Invicti provides a general DISA STIG report that covers web vulnerabilities within the scope of DISA requirements.
Learn how to generate DISA STIG reports in Invicti
All compliance reports are not created equal
To round out this overview, there is one final thing to keep in mind when talking about any assurances for web vulnerability testing. You can confirm or even certify that you ran all the checks in the book, but the resulting level of security will always be dependent on the methods used. For example, saying your web application is compliant with OWASP Top 10 simply means: “We know about cross-site scripting, SQL injection, and all the other vulnerability classes that fall under the OWASP Top 10, and we’ve tested for them”. Which is great but says nothing about the methods you used, the quality of testing, the effectiveness of remediation, and so on.
The elephant in the room for web security testing is that, for any sizable application, you can never truly prove that no vulnerabilities exist. You can have all the compliance approvals in the world and still get hacked because something was not found in testing or a new vulnerability has been discovered since the last test. Compliance reports are a great starting point and provide a common language for web security discussions, but in the end, the security and reputation of your company depend on the quality and accuracy of vulnerability testing and remediation, not on the checklists you use.
With Invicti specifically, your compliance reports are backed by provable accuracy, industry-leading security checks and test coverage, and deep SDLC integration complete with remediation guidance and automatic fix retesting. So next time somebody asks you about OWASP, SANS, or any other type of compliance for your web applications, go right ahead and send them the compliance reports – but make sure you also tell them you use Invicti products for application security testing. That will mean a lot more than yet another compliance stamp.