Imagine a castle fortress without a drawbridge, moat, or guards to keep enemies at bay. The idea would be ludicrous back then, just as it is now.
For modern-day organizations made up of personnel, equipment, networks, and data, it’s essential to put mechanisms in place that protect these valuable assets from unwanted interference.
Web app scanners are software programs designed to do just that, “crawling” an organization’s Internet-facing website assets to identify and flag potential vulnerabilities. Importantly, the scanner does not have access to the website’s source code; instead, it simulates hacking attacks to reveal soft spots in a web application’s armor, which in turn enables the organization to plug that vulnerability before attackers try to exploit it themselves.
But the scanners have another purpose as well: discovering and cataloging an organization’s entire inventory of web assets – every website, web service, API, or application – so that nothing remains hidden, and anything later added can be tagged.
And when these scanners are absent, outdated, or simply don’t function as they should, the consequences for organizations can be steep.
Web applications: A top attack vector
According to the 2022 Verizon Data Breach Investigation Report, basic web applications were the top attack vector among the 18,000 security incidents and 3,000 known breaches the report examined, far outpacing other vectors such as email, software updates and backdoor intrusions. Once inside, hackers can steal sensitive PII – think medical data, payment card data, or even Social Security numbers – as well as intellectual property and other highly valued corporate assets. Sabotage of critical infrastructure, servers and other systems is also possible.
Clearly, traditional web app scanners are missing the mark, providing barebones protection at best while failing to discover and triage the full range of vulnerabilities common to dynamic, script-heavy web applications. There are a few reasons for this:
- Many web app scanners provide only disjointed scanning coverage. They may uncover some but not all hidden web assets an organization has in its backlog. Hackers don’t care; all it takes is one unauthorized, long-forgotten web asset with a lingering vulnerability for them to sink their fangs in.
- Scans can take days or even weeks to complete, depending on the complexity of the application. Traditional web app scanners, for example, struggle to read dynamically generated content, script-heavy assets, custom forms, and shared authentication schemes such as single sign-on.
- Some scanners are vigilant yet imprecise, creating false positives when flagging web assets as vulnerable that are in fact both functional and secure. The combination of factors leaves organizations with a stunted view of their assets, a wider attack surface, and inordinately long scanning queues that ultimately undermine the DevSecOps agility that is expected of modern release cycles.
Scanners: Maximizing tools
Effective response to the threat involves effective tools, but it also requires proper tool configuration as well as operational processes to complement functionality. With that in mind, here are some recommendations to get the most out of web app scanners.
- Implement continuous discovery and testing. More recent web app scanners come with advanced crawling technology and discovery engines that allow them to scan the kind of web assets which still prove problematic for traditional scanners — for example, JavaScript-heavy pages or dynamically-generated content. Continuous, automated scanning can identify any web-facing assets associated with an organization, and then build a detailed inventory of these assets to minimize blind spots and loose ends.
- Increase vulnerability scanning coverage. Organizations can increase their scan coverage by integrating dynamic application scanning technology (DAST) with interactive application scanning (IAST) functionality. DAST is great for seeing how an application responds to attacks from the outside, but adding an IAST to the mix gives developers more insight into how applications perform from within, identifying runtime vulnerabilities in the code that might otherwise have evaded DAST detection. App security vendor Invicti says its integration of DAST with IAST not only finds more vulnerabilities, but also reduces false positives while resolving true positives at point of discovery.
- Integrate vulnerability management and security into the development pipeline. There’s not enough time for developers to manually fix every vulnerability revealed by web app scanners. But by automating remediation workflows and alerting developers to high-priority vulnerabilities with detailed issue reports and severity ratings, those same developers can triage, validate, and retest software without dragging security teams into the equation. This means that scans can be run as new code, granting developers an immediate feedback loop and saving them countless hours of manual testing and validation.
As attackers demonstrate increasingly sophisticated tactics, it is highly recommended that organizations upgrade their web app scanning software to sustain a healthy DevSecOps environment.
By introducing an automated web app scanner that continually discovers and tests an organization’s entire inventory of web assets, organizations will be better set up to avert damaging attacks down the line.
