Why business-critical apps need DAST

Key takeaways

 

• Business-critical applications keep companies running, so any downtime must be resolved quickly – and prevented wherever possible.
• Best practices help secure business-critical web apps, but testing is also a must.
• An automated DAST tool can pinpoint vulnerabilities and misconfigurations that might otherwise go unnoticed.

For companies following the cybersecurity headlines, the need for disciplined security testing to protect their web applications against attack is clear. Unfortunately, too many IT departments still lack the expertise, let alone the tools, to do more than offer basic security measures, leaving their many business-critical apps vulnerable to attack. 

Mission-critical vs. business-critical vs. non-critical applications

In terms of risk, business web applications generally fall into one of three major buckets:

• Mission-critical: When a mission-critical app, such as an e-commerce website, experiences downtime, the business can no longer operate or generate revenue. Typically, companies have only a few mission-critical applications and frequently dedicate teams or, in smaller organizations, administrators who supervise their smooth operation. 
• Business-critical: When a business-critical app goes down, the business will be unable to perform important functions – such as issuing invoices or reordering inventory – but it can still run and make money. Unlike mission-critical apps, the implications of a temporary outage are not catastrophic, but service needs to be restored within a brief period of time. 
• Non-critical: Non-critical apps are still important, but an outage does not represent an urgent situation in the near term. For example, an airline app that awards frequent-flier miles to passengers for travel would fit in this category. 

When companies suffer a malicious attack on their IT systems, their first reaction – and rightly so – is to protect their mission-critical apps. But if they don’t also invest in safeguarding their business-critical web applications, they have only displaced the entry point of attack. Many of the most publicized attacks are of this nature, where a company’s mission-critical apps are not affected, but customer data is drawn from a database that’s accessible via a vulnerability in a business web application.

The challenges of securing business-critical applications

Business-critical apps vary widely in terms of function, yet all play a crucial role in a business’s operations. They include accounting and inventory apps, customer relationship management and human resources management systems; infrastructure systems, such as messaging software; and legacy applications that were built to satisfy the needs of a particular customer. 

Protecting each type of business-critical app may require different approaches. For example, a new app developed in-house can be designed from the start with a small attack surface, based on a secure software-development framework, and with heavy reliance on constant security testing. Such hardened apps fare well. 

These practices are not always available or appropriate for a legacy application, which may have been developed at a time when security was less of a priority. Likewise, infrastructure software – often purchased as a packaged application – might not be designed to be robust in the face of malicious activity.  

Covering business-critical apps with DAST

Businesses can bolster the security of their critical web applications by instituting best practices, such as robust authentication, limited authorization, and activity logging, among others. However, securing the app itself requires an approach that accounts for the fact that the IT organization doesn’t often know details about the app’s internals – in other words, its individual subsystems and how they fit together.

Dynamic application security testing (DAST), which tests running web apps across their development life cycles, can help. A DAST tool uses web crawling technology to map out all of the app’s resources, including web pages, entry points, and other interfaces (such as APIs), and to look for vulnerabilities and misconfigurations. These might include unpatched software, unguarded entry points, and inputs that can be easily manipulated by known attack techniques, such as SQL injection and cross-site scripting. When a DAST tool finds a vulnerability, it records details of its discovery so that penetration testers and other IT staff can reproduce the problem to determine its exact nature and identify a fitting solution. 

The crawling of a web application is an especially important part of the DAST workflow, as it covers the entire footprint of the app. This step alone frequently finds neglected or forgotten apps, web pages, and access points, especially in legacy applications. Forgotten apps typically exist because a customer once required a standalone application for a specific need. If the app is no longer in use but still running, it could represent a fruitful point of entry for malicious hackers. 

Beyond business-critical apps

While business-critical apps have been the focus of this article, non-critical apps frequently operate with the same security caveats: many come packaged, others are legacy, and still others linger in a corporate limbo where they run unnoticed and are not updated. Non-critical applications are often neglected in security practices because they are generally used internally only. 

However, running a DAST tool on these applications can reveal the same problems found with business-critical apps: unexpected openings to the outside world with unguarded or insufficiently guarded access points, unpatched server software, out-of-date applications, and so forth. That’s why running DAST on all web applications, no matter their level of criticality, will go far in securing an IT organization’s portfolio. And because DAST is an automated scanning tool, it can constantly keep up with the frequent changes to any of an organization’s applications and report back any vulnerabilities and misconfigurations.