The pitfalls of DIY application security

Despite the clear and growing risk of web-based attacks and data breaches, many still see web application security as a low-priority newcomer to the cybersecurity mix. This often leads to incomplete test coverage from a home-grown combination of point solutions. Let’s look at the pitfalls of piecemeal security testing and see how a DAST-based AppSec program is more effective on multiple levels.

The pitfalls of DIY application security

Incomplete security testing leaves you vulnerable

Web application development is among the most dynamic areas of technology, allowing businesses to bring new features and applications to market in a matter of months if not weeks. With so much critical data and business logic now accessible from anywhere in the world, keeping websites and applications secure is now a top priority – but how are you supposed to do this on an enterprise scale if your application environment changes daily?

In the rush to add security testing to existing development workflows, organizations often struggle to enforce security without compromising release schedules (and therefore business growth). This can lead to piecemeal testing using a mixture of incompatible tools and workflows that cannot hope to provide a complete picture of application security, let alone scale to keep pace with development. Such a DIY approach to security combined with budget and workforce constraints forces organizations into an endless cycle of security compromises: Do we have time to test this before releasing? Which of our applications should we secure? Should we release with known vulnerabilities?

Your application security is only as good as its weakest link. Compromises and trade-offs are not a good idea – and yet they are commonplace.

The dangers of picking the wrong tools and methods

Cybersecurity products hide behind a bewildering variety of acronyms and marketing claims that can make it tricky to pick the right tool for the job. Let’s look at a few common scenarios where picking the wrong product for your needs can seriously undermine your application security efforts.

We can do this manually

One common misconception is that manual penetration testing tools can do the job of automated security scanners. On a purely technical level, this is true, but manual testing and automated scanning are two completely different processes. In the hands of an experienced security engineer, a penetration testing tool can be far more accurate than even the best vulnerability scanner – but this takes time and resources.

In an enterprise environment with hundreds of websites and applications, each with dozens of attack surfaces to test, you are unlikely to ever have the time and manpower to achieve and maintain complete test coverage purely with manual testing. And even if you are lucky enough to have a dedicated pentesting team, it can’t grow as fast as your development operations, so your security experts will always be fighting an uphill battle and risking burnout. At enterprise scale, automating security testing is a necessity, not a luxury.

An open-source scanner will be good enough

Companies that decide to get a vulnerability scanner to automate testing are faced with the typical choice of commercial vs. open-source. With open-source tools forming the backbone of all web development, it may appear that an open-source security tool will be good enough, especially given that it’s free... Or is it?

We’ve written about the difference between a product and a solution before, and nowhere is it more apparent than when deploying and running an open-source product. The quality of vulnerability scan results is heavily dependent on correct deployment, setup, and customization. Even with zero upfront cost for the product, you still need to pay someone to set it up, optimize it, and keep it updated. As for technical support, you will be lucky to get a wiki page and user forum, but if you run into issues that are unique to your application environment, it will be your staff spending even more hours resolving them. Finally, and crucially for security software, open-source projects are unlikely to have the budget and people for research and development programs that would allow them to refine test accuracy and stay on the cutting edge of cybersecurity.

Avoiding security blind spots

At the risk of stating the obvious, web security is a complex topic. Exploitable vulnerabilities can crop up in many places and for many reasons, so it’s important to avoid blind spots in security testing. For example, misunderstanding shifting security left as doing security testing only during development can lead to vulnerabilities caused by misconfigurations in the deployment environment or brought in via dynamic dependencies. Because such testing only covers sites and applications that are in active internal development, it can also leave older assets and any third-party products untested and vulnerable to new attacks.

Another blind spot when shifting left can arise when organizations skip dynamic testing altogether and rely solely on static code analysis (SAST) for their web application security testing. This can happen if they can’t find a way to build dynamic testing into their agile development pipeline but do have IDE integration for code-level testing tools. It could also be that, based on bad experiences with inaccurate vulnerability scanners in the past, somebody has decided that automating dynamic testing simply isn’t practical. In either case, abandoning systematic dynamic testing can leave applications with major security issues that will remain exploitable by attackers until found through manual testing and fixed, potentially many months later (or after a breach).

Taking control with modern DAST

Sprawling web application environments that combine multiple technologies and countless dependencies while also changing on a daily basis make a top-down approach the only sane starting point for building a comprehensive AppSec program. A modern DAST solution such as Invicti can provide maximum visibility into your real-life security posture by discovering and testing all the websites and applications that attackers could target. You can also integrate vulnerability scanning into your development pipelines to have automated dynamic testing from the earliest stages of development.

With Proof-Based Scanning, a full embedded browser engine, and an industry-leading vulnerability scanner backed by over a decade of development, Invicti delivers accurate and actionable results to help you measurably improve security practically from day one. Out-of-the-box integration with popular issue trackers and collaboration tools allows security testing to finally keep up with agile development and provide rapid feedback on identified security issues. 

A modern DAST platform provides a solid foundation for a comprehensive application security program. By maximizing test coverage and automatically finding (and confirming) many common vulnerabilities, Invicti reduces risk, greatly decreases the workload of your security teams, and helps your developers fix security issues quickly and permanently. With this security baseline in place, you can eliminate inefficiencies, get more value out of other AppSec initiatives, and allow your security teams to focus on jobs that really need their expertise.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.