At the end of October 2022, the Invicti crew attended it-sa Expo&Congress – one of the biggest IT security events in Germany and Europe in general. Among the many excellent conversations with booth visitors and prospective clients, we noticed one broader trend: many companies still believe that application security is more about protection than testing. And when shown a demo of the Invicti approach to application security testing, many visitors simply couldn’t believe their eyes.
Back to first principles with application security
With 693 exhibitors and a packed event agenda at this year’s it-sa Expo&Congress, it was clear that cybersecurity is a big place. It was also clear that awareness of web application security testing is still playing catch-up when compared to the vast array of protection and detection offerings out there. This seemed especially true of solutions for dynamic application security testing (DAST), where some visitors were not even aware that such automated testing is possible – or necessary. While many companies are actively building and improving their network, cloud, and endpoint security, they surprisingly often neglect web application security or apply the perimeter defense mindset and rely entirely on web application firewalls (WAFs) and similar protective measures to secure their web presence.
Approaching application security from the outside like this can lead to underlying application vulnerabilities being masked rather than eliminated, which increases the risk of successful cyberattacks if (or rather when) malicious actors manage to penetrate or bypass the outer layers of protection. While it’s important to maintain security at all levels, effective application security needs to start with ensuring the application itself is as resistant to attack as possible – and that means application security testing at every stage of development and operations.
To know DAST is to love DAST
Of the several different approaches to application security testing, manual penetration testing is likely the best-known and most widely used, especially for organizations that believe an occasional security test is quite enough for them. While this may have been true in the past when web asset changes were less frequent and more predictable, ordering sporadic manual checks is no longer sufficient to keep up with the pace and scale of modern web application development. With so many enterprises now developing some or all of their own applications, automating security testing and bringing it in-house is a practical necessity – and a good quality DAST solution is a crucial part of any application security (AppSec) toolbox.
Talking to it-sa Expo&Congress visitors who were already familiar with DAST and using it in their workflows, it was clear that they knew the value of this approach. For companies that used to rely solely on external penetration testing, encountering a mature solution that can let them automate the vulnerability testing process and bring it in-house was an eye-opening experience. Many people were surprised that such automated testing is now technically possible, and all were impressed by the high quality of the results. To show that DAST is not only for finding vulnerabilities but also for gaining critical visibility across the entire AppSec program, Mark Schembri, Solutions Engineering Manager at Invicti, delivered the presentation “How Invicti can help you to manage your web attack surface,” which was very well received.
Identifying and managing your web attack surface
As Mark showed, one advantage of Invicti’s DAST-driven approach to application security is the ability to identify and control your organization’s web attack surface, understood as the entirety of publicly discoverable and accessible web assets. Knowing your attack surface allows you to guide your security efforts to eliminate gaps, maximize coverage, and focus remediation efforts where it matters most. Before the crawler and scanner components even get to work, Invicti’s discovery service provides a list of domains and subdomains that are likely to belong to your organization and contribute to its attack surface.
Once you’ve selected the sites and applications you want to test, the crawler goes through each of them to find all attackable links, forms, URLs, URL parameters, and so on – all the points that bad actors could potentially access and attack. Each of these points is then subjected to a battery of fully automated security checks that analyze how the application reacts to various probing attempts and look for behaviors that signal vulnerabilities. And with Proof-Based Scanning, the vast majority of direct-impact vulnerabilities are automatically confirmed to eliminate false alarms and highlight priority issues.
Talking modern AppSec needs
A common theme in conversations about the web attack surface was the ability to effectively scan modern websites and web APIs for vulnerabilities. Invicti’s advanced and mature DAST solution features a complete embedded browser engine to crawl and test any site that a modern browser can open. Combined with support for all the popular web API definition formats as well as industry-standard authentication schemes, this allows the scanner to probe every part of the application environment and run its security checks regardless of authentication requirements.
As visitors to the Invicti booth discovered, bringing accurate and fully automated web application security testing in-house is now finally a realistic option for any organization. Invicti products are available in cloud-based and on-premises versions to cover all types of deployments and allow you to take charge of your web application security program with uncompromising accuracy. And as we learned at this year’s it-sa Expo&Congress, many companies still don’t know that this is already possible – and that it is exactly what they need to stay secure.