Agile development can’t wait for security
If you are building modern web applications for your own organization or for customers, it is more than likely that you are using agile development practices in some shape or form. In large organizations, it is common to have hundreds of websites and applications in continuous development, with new features going from idea to production in a matter of weeks, if not days. In this hectic world, development can’t afford to wait for a separate team to run their security tests, as they would in waterfall workflows.
Outsourcing all application security testing might have made sense when companies only had a handful of websites and these rarely changed. Today, if you are serious about securing all your websites and applications at scale, you need some way to test new and updated applications early and often – preferably every time something changes. Development sprints commonly need to be completed in 1 or 2 weeks, so there is simply no time to order external tests, wait for the results, and then implement fixes.
Web application security is no longer optional
Back when online presence usually meant having a couple of informational websites, web security testing wasn’t a top priority. Nowadays, many organizations depend on complex web applications to do business and process sensitive data, so knowing your security posture at any point in time is a must. 2020 was a record year for data breaches – and with the average cost of a single breach now exceeding $4M, companies can’t afford to treat application security testing as an external service that only generates costs for little visible benefit.
If you are heavily focused on application development, you may feel that application security should be outsourced to specialized partners like anything else that is not your core business. But keeping your applications secure definitely is your business, so what can you do? To work at scale, keep up with development, and maintain full coverage without needing a whole team of experts to run it, your application security testing program should at the very least include vulnerability scanning. With modern solutions, bringing vulnerability scanning in-house is now a realistic way to get more control of your application security.
Plugging vulnerability scanning into your development pipeline
Dynamic application security testing (DAST) is a vital part of any security testing program and covers all the testing that is done on a running application, including automated vulnerability scanning and manual penetration testing and vulnerability assessment. Leading vulnerability scanners such as Invicti are now advanced and accurate enough to be used as standalone testing tools in agile workflows. Using out-of-the-box integrations, you can take Invicti and plug it into your heavily automated development pipelines to deliver actionable vulnerability tickets directly to your developers.
A modern DAST solution lets you trigger vulnerability scans at multiple stages of the development and testing process and is flexible enough to work in any development workflow. It is easy to deploy and can start delivering value within days or even hours. Invicti in particular comes with flexible deployment options to align security testing to your unique application environment. By building security testing into your automated development pipeline, you can minimize security risk without compromising the pace of software innovation.
Confident security testing automation reduces cost and risk
Back to the title question: are you still paying external consultants to scan your web applications for vulnerabilities? If so, it is likely you are not getting the most bang for your buck. In effect, you are paying someone to click a button that you can easily click yourself – and you have to order each scan separately. By bringing vulnerability scanning in-house, you get (with very little implementation effort) the ability to scan whatever applications you need whenever you want at no extra cost per scan. And when running an additional scan costs you nothing, your whole AppSec mindset shifts from “Do we really want to pay for this extra scan?” to “What scans do we need to stay secure?” – which is definitely where you want to be.
By bringing the vulnerability scanning part in-house, you will also get more value out of any external security testing that you commission. Whether you order periodic penetration testing or run a bug bounty program, your applications will arrive for testing already free of many common weaknesses, allowing external experts to focus on more advanced vulnerabilities that only a human can identify and exploit. In the case of bug bounties, that can also mean very real savings, as you are not wasting company money on payouts for trivial issues that you can now find and fix yourself.
Customers confirm: bringing vulnerability scanning in-house makes business sense
Many Invicti customers have found that as their agile web development operations grow and accelerate, outsourced vulnerability scanning quickly becomes a liability. They want best-in-class application security testing, but keeping it outside the development workflow (and the company) is inflexible, expensive, and far too slow to keep up with development. As several of our case studies show, adding vulnerability scanning with Invicti to existing agile development pipelines is not difficult and brings a host of benefits, from cost savings and improved security to shorter release cycles.
If you develop web applications and use agile, bringing vulnerability scanning in-house simply makes sense.