Future-proofing DevSecOps in healthcare with DAST
Healthcare organizations deal with sensitive information every day and are under constant regulatory pressure to keep this data safe. Invicti sat down with a large healthcare customer to learn how taking a DAST-based approach has helped to minimize application security risks without holding back development.
Your Information will be kept private.
Your Information will be kept private.
Bad actors don’t slow down and wait for security to catch up. In healthcare, which deals with sensitive information every single day, that means they need a security solution that’s fast and delivers accurate results. For one Invicti customer, dynamic application security testing (DAST) has been critical in safeguarding that information so they can keep their applications and their customers safe now and in the future.
According to Verizon’s 2022 Data Breach Investigations Report, web applications remain the number one attack vector for breaches, with causes stemming from stolen credentials, ransomware, and phishing. For industries that deal with sensitive information every day, there’s never been a more vital time to evaluate the state of their web application security (AppSec) and establish a strategy that shrinks their attack surface.
This is especially true for healthcare platforms that exchange private data for millions of payers and providers alike; with the average cost of a data breach topping $10 million for healthcare organizations, the potential for financial and reputational damage is immense. Striking a balance between data protection and releasing new, innovative applications on schedule can seem a daunting task – but not with the right tools and a security-driven culture in place.
That’s why, when a large healthcare company with an extensive data-driven platform for care programs needed a new security solution that could handle all of their web assets, they turned to Invicti for a DAST-based security solution. We sat down with one of their Application Security Engineers to discuss some of the challenges they faced before integrating Invicti’s solution, and the implementation benefits they’re still seeing today.
Invicti DAST enables security compliance across cloud-native apps
Regulatory acts like HIPAA govern every day in healthcare IT, so compliance is critical for this organization. Maintaining security for their customer data is a top priority. According to the Application Security Engineer we spoke with, any cyberattack would have serious implications, putting their organization under scrutiny both with the government and in the public eye. This is one reason why they needed a tool that was both reliable and capable.
Because we’re a healthcare organization and a publicly-traded company, a long list of implications ranging from regulatory violations, fines, audits, and financial loss to bad press and negative customer sentiment could result.
– Application Security Engineer, Invicti customer in healthcare
Additionally, the team has begun moving towards cloud-native applications and APIs, which requires a flexible and modernized approach to security that can scale and grow. When setting out to make the shift to the cloud and build more secure web applications with ease, the security team at this healthcare organization knew they needed a DAST solution that would allow them to run consistent scans with accuracy.
Even more urgently, one of their clients explicitly required DAST scans, so finding a reliable DAST solution was mission-critical. Turning to Invicti was an obvious choice for this longtime user and champion of Acunetix, an Invicti product. “I used Acunetix by Invicti for a long time, and I fell in love with the tool,” the engineer explained. “Today, if I go to conferences or someone asks me about DAST products, I can give first-hand experience of one that I’m currently using, and I recommend Invicti to other folks.”
After implementing Invicti, the first capability they employed was asset discovery. This enabled the team to automatically and continuously discover web assets that might’ve otherwise gone unnoticed. And because auditors frequently want to see recent scans to satisfy compliance needs, Invicti’s reporting tool is very valuable for quickly and accurately relaying that information.
Engineers can now also double-check code swiftly and proceed with more confidence. “We have visibility into a second look at our source code static analysis (SAST) tools,” the engineer explained. “We operate in a CI/CD pipeline with static analysis, so the DAST solution provides us a second look and confirmation that no code that has gone through CI/CD and checked by SAST has any vulnerabilities.”
In the time saved through automated and integrated security testing, developers and security experts are able to focus on more critical tasks and improve processes to produce safer applications. It’s easier for the team to prove ROI, too, with accurate and expedited reporting that they can share internally and with auditors. In the world of software development, getting that time back compared to inefficient manual tasks and unreliable scan results means less stress and more productivity, and that’s invaluable.
Automated DAST and pipeline integrations are daily requirements
When you need to move faster in application security and save money in the process, automation is key. It reduces tedious manual work and – if the results are accurate – eliminates pesky guesswork from the quality and assurance process.
“The automation of scanning is a time saver,” the engineer explained when speaking about Invicti’s automated DAST solution. “I come back and the DAST scanner has done its job. That’s a headcount we don’t need, and that’s good money savings. Scan efficiency has improved with Invicti because we’re not taking a long time to scan anything, maybe an hour at most, and we get automatic feedback immediately that allows us to move forward with our development work.”
Currently, the team is running manual scans with scheduling, but in the near future, they plan to leverage CI/CD integrations to push their processes even further down the path of automation and eliminate the need for scheduled scans entirely. They hope to get to the point where they have the ability to scan on-demand based on when code changes occur, and then for ultimate efficiency, a DAST job can kick off to scan a build as it’s being completed.
Integrations and automation work hand-in-hand to further improve processes at the organization, and the team has hopes for even more efficiencies in the future. A vital Jira integration currently allows them to triage tickets and then pass necessary fixes right to developers.
We didn’t really feel comfortable pushing findings in tickets directly to developers because it might be too disruptive to them. If it is just automatically adding stories into Jira and adding vulnerabilities to their plate, it becomes unmanageable really quickly, especially if there’s hundreds of findings. So we chose to put it in our bucket. We triage issues and we feed them over to developers as needed through Jira, and the integration works seamlessly with Invicti.
– Application Security Engineer, Invicti customer in healthcare
Eventually, the team wants to fully automate the scan process in the build pipeline – in which case there would be no need for a ticket at all, saving even more time. For now, they’re managing the process in a more hands-on way to alleviate pressure on the development team and keep security running smoothly.
Reducing false positives and silencing noisy, unreliable AppSec
Tools that plug right into workflows and deliver more accurate results speed up development processes all around, so developers don’t need to wait for security to keep up. That’s especially important when it comes to issues like false positives, which contribute to AppSec noise by muddying results and requiring tedious manual checks of scans.
“I’ve used tools that were highly noisy,” the Application Security Engineer explained, “and the most annoying thing about it is you then have to spend hours sifting through incorrect findings to ignore and get rid of them. Because they’re not true. And if the tool is wrong, then why are we paying for it?”
False positives are a problem plaguing many development and security teams that need to move quickly. Not only can developers and security engineers spend hours chasing false alarms, but false-positive-ridden scanners also tend to report the same non-issues in the future, leading to frustration and constant project delays. That’s an expensive problem.
Proof-Based Scanning from Invicti is 99.98% accurate, which is something the team is finding very valuable. Accuracy paves the way for confidence in scan results – after all, if a scanner can exploit a vulnerability, so can the bad guys. With confirmation provided for over 94% of direct-impact vulnerabilities, the team is consistently narrowing their threat exposure and reducing the risk of attack.
“Invicti scans accurately, it scans on time, and it doesn’t take forever,” our healthcare customer said. “It’s producing accurate findings versus a bunch of junk, and that’s why I think on the market Invicti is probably the best tool there is.” With more accurate findings delivered consistently, the team can forge on with confidence that their scanning tools are getting the job done while they produce secure apps that their customers rely on.
Paving the road ahead with strategic DevSecOps and increased use of DAST
Successful AppSec isn’t only about the tools; it’s also about a cultural adoption of security. Data from ESG shows that 46% of developers view security tasks as disruptive to their development processes, and 44% think all security work should fall on the security team. For DevSecOps to be effective and lasting, developers need to play proactive roles in adopting best practices, tools, and processes alongside their security counterparts.
And that requires a cultural acceptance from leadership down – something healthcare organizations, including Invicti customers, take very seriously. For our healthcare customer, the foundation for a positive culture shift to full DevSecOps was already in place. They have a highly supportive executive branch that funds everything they need to get done, and the developers at their company know they can go to the security team for help at any time.
Without typical roadblocks slowing them down, the team has been able to build relationships that contribute to smoother workflows and a more collaborative environment, especially with the right tools at the helm. Having those foundational relationships in place is key as they plan to invest more in DAST in the future to ensure protection for the sensitive data their millions of platform users rely on daily.
Attackers are always looking for low-hanging fruit, and DAST is a great line of defense. If you’ve got a perimeter riddled with application security vulnerabilities and DAST can find 80% of those – well, 80% of your findings are now covered and not in the hands of attackers. It’s a tool that’s always going to be around.
– Application Security Engineer, Invicti customer in healthcare
This continued investment in DAST and other tools will help them shrink their attack surface and ensure that new applications are secure when they’re deployed for end users. Invicti will be there every step of the way to ensure these and future AppSec strategies are impactful, allowing the team to continue building innovative web applications with confidence.
Browse our case studies to learn how other customers are securing their web assets, improving DevSecOps, and future-proofing their development processes with Invicti.
