Do you have a web application security program or are you merely testing?

A systematic approach is vital to ensure web security in any sizable organization – and yet many companies still don’t have a web application security program. Especially with fast-moving DevOps workflows, ad-hoc security testing can never hope to keep up with web development at scale. Invicti’s Kevin Gallagher presents the 5 steps to a resilient web application security program.

Do you have a web application security program or are you merely testing?

Kevin Gallagher on Security Weekly at RSA 2021

Chief Revenue Officer at Invicti Security, Kevin Gallagher, spoke to Security Weekly’s Matt Alderman as part of the virtual Broadcast Alley at RSA 2021. Starting with the observation that the pandemic-fueled rush to secure remote work has led to stagnation in systematic security programs, Matt and Kevin discussed the many challenges of securing web applications at scale. Watch the full interview below and read on for an overview of the Invicti approach to building or reinvigorating your systematic appsec program with Invicti.

Discovery: You can’t secure what you don’t know about

Before you test anything, you need to start with the appsec equivalent of asset inventory, which is the foundation of systems security. If you don’t know what assets you have, there is no way to secure them or even decide which sites and applications to prioritize. Many organizations still rely on tribal knowledge or manually maintained lists to keep track of the web assets they want to test, but they could well have dozens or hundreds of abandoned or overlooked sites that are also accessible from the Internet. These forgotten assets tend to be less secure than production sites and often provide attackers with a handy entry point into company systems.

Invicti includes a discovery service that starts running as soon as you log in and enter the domains you want to scan. This seed data (customized and expanded if necessary) is used to query Invicti’s central database of all known web-facing assets across the company domains and subdomains. This includes not only websites and applications but also web services and API endpoints, as all these can be equally viable targets for attackers. Invicti then reruns this discovery process on a daily basis to alert users to any new assets that have appeared under their domains – especially important considering how fast new sites and applications can be deployed, often without central inventory or oversight.

Detection: Test everything, not only your critical apps

Once you know what you have, you can start testing. While there are many ways to test web applications, using an advanced dynamic application security testing (DAST) solution such as Invicti brings a number of advantages. First and foremost is the ease of use and configuration – you can launch a whole array of carefully researched built-in security checks with a few clicks. As is so often the case, the better the tool, the less manual setup you need – and with Invicti, even setting up authenticated scanning is made simple.

Invicti uses an advanced crawler to identify all attack surfaces in each application and then safely performs simulated attacks to probe for vulnerabilities. Even across large environments, results are typically ready in under 48 hours. With Proof-Based Scanning, the majority of high-impact vulnerabilities are automatically confirmed by the scanner with no risk of false positives, so the scan results present a current and realistic picture of your web application security status.

Remediation: Fix vulnerabilities for measurable security improvements

So now you have a list of all the vulnerabilities detected in your websites, applications, and often also web services and APIs. In a large organization, this can mean thousands of issues for a small security team to deal with. When less advanced tools are used, false positives can be a blocker at this stage: how do you know which of your 10,000 reported issues are even real? If your security engineers have to manually verify all the results and weed out false alarms, they will be swamped by tedious tasks that do very little to move your security forward.

Invicti uses Proof-Based Scanning to confirm exploitable vulnerabilities with 99.98% certainty and provide accurate severity ratings so you can immediately prioritize and plan remediation work. Each vulnerability report includes detailed information for developers to help them understand the issue and correctly fix it. Vulnerabilities that are marked as confirmed by Invicti don’t need any manual checking, which takes a huge load off the security team and can bring very real savings.

Integration: Build security into automated development workflows

Already at this level of security integration, you will see major improvements both in application security and workflow efficiency, but if your security team is working separately from the developers, you are still not reaping the full benefits of automation. To make security a regular part of the development process, you can build security testing into existing DevOps pipelines. Invicti comes with out-of-the-box integrations with popular ticketing systems, collaboration tools, and CI/CD platforms, allowing the security testing and vulnerability remediation process to be automated to match your current workflows.

For example, you can set up Invicti to automatically create developer tickets for confirmed vulnerabilities, bypassing the bottleneck of manual processing by a small security team. Because developers get actionable vulnerability reports straight into the issue tracker they use every day, they start treating security issues the way they should be treated: like any other software bug. Instead of wasting time on switching tools, double-checking, and requesting additional guidance, they can now focus on fixing the issue. Invicti can also automatically retest fixes to make sure the vulnerability is gone for good.

Continuity: Test regularly and automatically at multiple stages

The final step on the road to fully absorbing security into your DevOps pipeline and building DevSecOps is to make security testing a hands-off part of the software development lifecycle (SDLC). Traditionally, you would have different types of security testing tools for different stages of the SDLC, with DAST reserved for late-stage testing. However, a modern DAST tool can be highly effective at multiple points, allowing you to improve security without complicating workflows and integrations. With Invicti in particular, you also have the option of deploying an IAST module in your application environment to gain a deeper insight into runtime security issues.

Building security testing into the SDLC is also the only way to keep up with the breakneck pace of web application development. When applications changed infrequently, sporadic security testing may have been acceptable, but with weekly, daily, or even continuous deployments, security must be a permanent part of the pipeline. Scans can be triggered automatically via CI/CD integration and confirmed vulnerabilities sent directly to developers, making it much faster, easier, and cheaper to fix security bugs.

A modern DAST tool is a vital part of any application security toolbox. With a solution like Invicti, you can go beyond the traditional role of DAST in late-stage testing and also integrate it into the testing automation already present in modern development workflows. By progressing along the road to a systematic web application security program with Invicti, you can streamline your current appsec workflows – and then take them to the next level.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.