Ferruh Mavituna on Enterprise Security Weekly #199
In a recent interview, Invicti founder Ferruh Mavituna talked to Paul Asadoorian and Matt Alderman about the web application security needs of modern enterprises. Watch the full interview below and read on for Ferruh’s practical advice on building an enterprise security program that brings measurable results from day one.
The Race to Secure Web Applications
The speed and ease of modern web application development combined with the many benefits of cloud-based software has left many enterprises struggling to keep track of all their web assets. The growth of sprawling web environments easily outpaces uncoordinated security efforts and large organizations often resort to securing only their business-critical web assets and hoping for the best for the hundreds if not thousands of websites and applications that remain.
To be effective, web application security needs to be accurate, efficient, and – above all – consistent. Where you start your security journey and what actions you take depends on the maturity of your security program. Enterprises that rush headlong into securing their web presence without a solid plan and the right tools are likely to waste a lot of time and money for very little gain.
Web application security is a constant race to secure web applications before they are compromised. Any organization that decides to sit it out risks data breaches and downtime with all their potentially crippling consequences. Even so, enterprises must learn to walk before they can run and a carefully considered start can bring far more benefit than a rushed deployment. Here are 5 practical steps to help organizations get started on the road to web application security.
Step 1: Get a Quality DAST Solution
The right tools are the start of any large-scale security effort and a good quality dynamic application security testing (DAST) solution is an essential item on the shopping list. This is because DAST is the only approach to web application security that can provide complete and immediate visibility of the current security status of everything that is running right now.
For example, if you only use static code testing (SAST), your developers might turn out highly secure new code – but what about external dependencies and third-party products that SAST can’t check? What about legacy applications developed many years ago? Even if your new code is secure, your environment might be breached elsewhere. This is why DAST is a vital part of web application security and the best starting point for your security program.
If you are going to build your security processes and make decisions based on results from a DAST solution, you need a product that your security teams, developers, and executives can fully trust. As an industry leader, Invicti delivers accuracy, maximum coverage, and the confidence that reported issues are real, exploitable vulnerabilities. Its proprietary Proof-Based Scanning technology provides true visibility of the current security posture, without the uncertainty you get when any result could potentially be a false positive.
Step 2: Find Out What You Have
You can’t secure something if you don’t know about it. This might seem obvious, but it is often poor visibility that leads organizations to focus all their security efforts on well-known assets, usually the business-critical ones. Even if this works reasonably well, hundreds of less vital assets might still be out there, potentially wide open to attack – and attackers only need one gap to gain a foothold in the company environment.
This is why the first phase should always be discovery, so you know what you’re working with, what to test, and what to prioritize. When you fire up Invicti, you are first asked for your domain names, IP addresses, brand names, company name, domain owner – as much information as you have to help seed the initial discovery process. Using a regularly updated database of Internet hosts combined with other publicly available information, Invicti searches for web-facing assets that match the specified criteria and suggests relevant results.
With the list of assets ready, you can run your first vulnerability scan and within hours get a picture of your current security posture. Because DAST covers everything that is currently accessible from the Internet, you can now see your real attack surface and make informed decisions about improving security.
Step 3: Fix Immediate Issues
When deploying a web application security program, many organizations take the top-down approach – plan first, act later. While this makes sense from a policy perspective, it does nothing to improve security here and now. In the real world, enterprise websites are being breached every day and no business can afford to risk another 6 or maybe even 12 months of waiting for an effective security program.
To get quick value and see immediate security improvements, you need to start from existing vulnerabilities and fix critical issues first. Invicti automatically prioritizes vulnerabilities to help you choose your course of action and because many of them will already be automatically verified, your developers can immediately get to work on the fixes.
Starting from existing issues rather than policymaking brings many benefits. First and foremost, you get measurable security improvements from day one. This means reduced risk for the entire organization and quick value from your security investment. You also get real, visible results that boost team confidence and help to maintain the momentum of your security efforts. And finally, it helps you get to know your teams, environments, and workflows so you can plan improvements. You are now confidently standing your own two feet.
Step 4: Build Up a Systematic Security Program
With the entire web application environment mapped out and the most critical issues addressed, you can step back and start fleshing out your security program. Because you now have complete visibility of your security status, you can identify areas for improvement and focus your efforts there. For example, if you see a group of websites that consistently has more vulnerabilities than other groups, it might be a sign that the development team responsible for this group needs more security training or better coordination with the security team.
Integration and automation are two cornerstones of effective application security workflows, but they need the right organizational background. If you want to automate issue assignment and notifications, you need to know who to notify for a given asset and where to assign tickets. Determining web asset ownership should start right after the discovery phase and can be a major challenge – it’s often much easier to find a website than to find the person who is currently responsible for it. The same goes for creating and maintaining an asset inventory so you don’t have to run external discovery every time you want to check your web assets.
You should also prepare the ground for the company culture changes that are necessary to truly incorporate security into development. One approach is to spread expertise around the organization by assembling cross-disciplinary development teams that include not only developers but also security experts and operations staff. You may also need to modify or add roles and workflows. All this will take a long time to fully implement, but you are in control of your current security posture and are working to a clear vision of the future. You are now walking and picking up speed.
Step 5: Streamline Workflows to Integrate Security
In the security industry, there is a lot of buzz around shifting left and integrating security into the software development lifecycle (SDLC). Shifting security left is the idealized goal of application security, but in real life, most organizations will never fully get there, even with the best intentions. A more practical approach is to always work towards incorporating security more tightly and effectively into the development process while maintaining centralized visibility and control.
At this stage of the journey, your focus should be on the balancing act of decentralizing security issue resolution while centralizing security management. In a large environment with thousands of web assets developed and maintained by dozens of separate teams, you can have hundreds of developers – but still only one small web security team. To avoid the bottleneck of manual vulnerability verification, triaging, and assignment by a handful of security staff, you can use Invicti to automate the vast majority of operations, from confirming vulnerabilities to creating issue tickets. At the same time, Invicti gives the security team the centralized visibility they need to manage vulnerabilities and define company-wide security policies.
When you get to this stage, you know what you have and what you need. Whenever vulnerabilities appear, you find them quickly and you know who will fix them – and when. Web application security in your organization is an inherent part of the software development process and practically runs itself under the watchful eyes of a small team of security experts. You have reached a level attained by only a few percent of organizations worldwide. You are now running.
Stay on the Right Track
With a bit of effort and commitment, taking the first steps on your security journey can be relatively easy – but maintaining the initial momentum and keeping the right direction is much harder. Consistency and guidance are vital to stay on track, maintain focus, and apply industry best practices.
Whenever you develop an effective security process, you need to apply it consistently across the entire organization to avoid different teams pulling in different directions and following their own homebrew security processes. Centralized visibility and management are vital to define security policies that will be acceptable to all stakeholders while fulfilling all the security requirements. The security team are the company’s experts on application security, so it makes sense that they should be the ones defining policy.
No matter how many security trainings you organize, you can’t expect every single developer and engineer to be a web security expert because that’s not their job. The central security team should therefore also be the main source of web security guidance across the organization, providing best-practice recommendations to everyone from developers to the CISO. With the help of a best-of-breed solution like Invicti, your security experts have access to everything they need to help your company stay ahead in the race to web application security.