Enterprise Security Weekly with Mark Ralls, Acunetix President & COO

Mark Ralls, the President and COO of Acunetix, was invited by Paul Asadoorian and Matt Alderman to take part in Enterprise Security Weekly episode 191 aired on July 22, 2020. The episode focused on the evolution of enterprise web applications and the impact of that evolution on web security at large.

After a short introduction when Mark was asked about his history before joining Acunetix, the discussion first focused on the topic of the year 2005. This year was a milestone for web applications with several new technologies launched and it also happened to be the year when Acunetix was founded.

Post-2005, the shift of the web paradigm has continued with more changes impacting the complexity of the web and, as a result, the complexity of keeping it secure. While back in 2005 APIs were just custom interfaces connecting legacy applications, in 2018 they were already responsible for 83% web traffic. Also, back in 2005, companies would not even consider putting crucial data and functionality in the cloud. Only 10 years later Netflix based its entire infrastructure on AWS – proving its applicability for even the most processing-intensive applications.

One of the biggest challenges for enterprises attempting to keep an eye on their attack surface is the move to microservices. Microservices are a must-have if development is to be conducted using agile methodologies. At the same time, microservices split previously monolithic applications into separate minuscule web services, which are web applications on their own. The result is: what used to be 30 apps quickly becomes 3000 apps, which was exactly the case with one of the customers of Acunetix.

Another topic that Mark has discussed is the evolution of the perception of DAST in the web security community. DAST tools were first perceived as useful only to pentesters – this is because they were just simple manual scanners with no management or integration capabilities. With the huge expansion of the web attack surface, with the onset of microservices and APIs, with the massive move of all legacy applications to the cloud, DAST tools had to evolve into comprehensive web vulnerability management solutions and a few of them, like Acunetix, did.

Mark has mentioned that SAST tools are excellent technology but they are only useful when you know every application that you have along with its owner and the location of its repository. In the current enterprise landscape, which is often built on mergers and acquisitions, that is rarely the case. CISOs face the biggest challenges associated with the fact that they are not aware of their complete web presence. And this is one more functionality that modern DAST solutions had to develop: complex algorithms to discover all web apps owned by a particular organization.

In summary, according to Mark, we have to completely reevaluate the way we viewed security in the last 15 years.