Error! That’s something we don’t have much room for in application security. Yet we leave so much to chance. The only reasonable way to find the flaws that matter – and to keep up – is to use automated tools and processes wherever possible.
Numerous information security studies show that application security is seriously lagging in many organizations. For instance, the 2013 Trustwave Global Security Report found that web applications are the most popular attack vector. The Verizon 2013 Data Breach Investigations Report found that SQL injection was a top exploit in hacking-related attacks. The same study also documented the significance of drive-by downloads facilitated by web application flaws. The seemingly benign cross-site scripting and browser-related flaws of past years are now facilitating advanced malware attacks in big ways.
You have to step back and ask yourself if what you’re doing with application security is good enough; or are there ways you can you make it better? Chances are you’ll fall into the latter category.
In order to get the most out of your application security testing, minimize your costs, and work more efficiently, you’re going to have to bridge the gaps that exist between automated testing and manual testing. This is arguably the most important step in making big changes to your application security testing program.
The thing is, you likely have way more web applications to test than are actually being tested. Many people focus solely on their core applications; but all a criminal hacker has to do to make your life miserable, is find a flaw in a seemingly benign web system such as a marketing site or development system that’s publicly accessible. Odds are your business has cloud services that are being developed and/or deployed without your knowledge or consent as well. How can you possibly secure what you don’t even know about?
I heard someone say recently that good advice is based on bad experience. There’s hardly anywhere in business this rings more true than in application security. Learn from other people’s mistakes while you can. Continuous improvement requires seeing the bigger picture and changing up your application security program where necessary. Automation is very big part of that.
Get started today. Choose good tools, tweak your testing processes, and make sure your application security and testing policies are actually being followed. Refining your application security testing program over time will put you and your business on the right track to keep from being yet another statistic in future information security reports.