2020 – The Year in Review

The year 2020 won’t go down in history as one of the best, for sure. However, it has actually led to some positive developments. Let us take a look at 2020 in the world of web application security, share our own experiences, and point out some valuable content that we brought to you this year.

Effects of the Pandemic on Web Application Security

There were two primary reasons why the COVID-19 pandemic had an immediate impact on IT security and web application security:

• One of the first measures introduced everywhere to combat the pandemic was social distancing, which meant an immediate shift towards remote work.
• The feelings of panic and uncertainty associated with COVID-19 were useful to malicious threat actors as tools to attack the weakest point of IT security – the human factor.

The following effects were felt in the general IT security landscape – none of them surprising:

• Businesses strongly realized that it is more difficult to manage the security of endpoints used by remote employees than local, physically accessible computers, especially if employees are allowed to use their private hardware for work.
• For anyone working with any kind of sensitive information, connection security became a problem and therefore VPN connections became commonplace. This was also an opportunity for VPN vendors to try and sell their home solutions more aggressively.
• Due to endpoint security issues and the panic effect, pandemic-based phishing became commonplace and the world experienced a major rise in the total number of phishing attacks.
• Ransomware gangs made medical institutions their targets, knowing that they have a chance to extort money quickly, especially if the impacted institution is involved in pandemic-related research.
• Many companies had organizational problems, experienced chaos, and threat actors perceived that as a great opportunity for attacks, especially ransomware. The “cherry on top” was the recent revelation of the SolarWinds hack, which impacted more than 18,000 organizations around the world.

What does the above mean to web application security?:

• Some businesses shifted their IT security focus from web application security to endpoint security. This was not the best move because it was expected by threat actors who could then exploit web vulnerabilities more easily.
• Due to the difficulties of managing remote employees and internal networks together, more organizations became inclined to move to the cloud. Since the cloud requires web application security, these organizations are more and more realizing that they need to shift their security focus to this area.

Therefore, the final effect of the shift to remote work is actually… increased importance of web security.

The Pandemic and Us

As a modern, agile, global organization we felt no effects of the pandemic on the quality of our work. It turned out that a sudden shift to home offices was not only welcome by many but it did not have any negative effects, except missing the sight of our colleagues face-to-face. We realized that our teams work great together even if physically apart. This could actually be perceived as a very positive effect of the pandemic on work culture, not only for us.

The pandemic did not alter our development plans, either. The company keeps growing very quickly and our ambitious 2020 roadmap is completed. Our plans for 2021 are even more ambitious and we’re well underway working on them. We realize that with the growing importance of web application security, we are needed more than ever and we must give it all we’ve got to make sure that our customers can cover all the bases.

We realize that not everyone had it that easy. That is one of the reasons why back in March we offered complimentary licenses to agencies fighting COVID-19.

A Look Back at the Blog

Last but not least, let’s have a look at some of our most valuable blog posts this year.

The year 2020 has been quite revolutionary to Acunetix as a product. Here are some highlights from our releases:

• Acunetix version 13 was released in February 2020 with a greatly improved user interface and tons of new features such as the new SmartScan engine, malware scanning, and much more.
• In May, Acunetix introduced the Business Logic Recorder, which lets you tackle vulnerabilities that are difficult to discover – those hidden behind business flows. Then, in June, we introduced support for GraphQL and OAuth 2.0.
• In July, Acunetix became the first professional vulnerability scanner available on macOS.
• Last but not least, in October we were named by Gartner as the 2020 Gartner Peer Insights Customers’ Choice for Application Security Testing, proving that customers all over the world value our product and the way that it grows.

In 2020, we brought you the following reports, whitepapers, and deep case studies:

• Just like every year, we analyzed the web application security landscape and came to the conclusion that we’re still far away from the goal of eliminating the most common security vulnerabilities.
• We also teamed up with Dimensional Research for a global business survey. As a result, we found out that enterprises are losing the war.
• To show you how businesses tackle the shift left, we brought you a very detailed case study of a medium-sized business and its journey towards web application security in an agile SDLC.

An area that we focused on strongly this year is spreading the understanding of why web application security is important, how is it sometimes misunderstood, and where to begin:

• We started the year by explaining what we perceive as web security basics. Later on, we also explained to beginners what is website security and how to keep websites secure. Then, we explained how web vulnerability scanners work, showing the differences between signature-based and heuristic scanning.
• We explained how to avoid uncoordinated vulnerability disclosure – what to do if a white-hat hacker contacts you and tells you that your web application is vulnerable. We also talked about secure coding principles – what to do to make sure that Acunetix finds fewer issues.
• We attempted to debunk some cybersecurity posture myths that might cause major issues for organizations. We also analyzed the current web application security landscape and attempted to foresee the content of the 2021 edition of the OWASP Top 10 list.
• We gave you reasons why we believe that DAST is the best way to start with web application security. We also talked quite a bit about DevSecOps and the agile SDLC – the challenges and the benefits.
• Last but not least, we discussed the importance of vulnerability bounty programs but pointed out their disadvantages and warned against complete reliance on them. We discussed the importance of endpoint security vs. web application security and emphasized that they should be treated with just as much care. We also explained why web application security is very important to avoid ransomware attacks.

We’d like to conclude by honoring a great addition to our team, Kevin Attard Compagno, who has brought tons of very useful practical content to our blog (in addition to continuously improving support documentation). Here are some of the key areas that he focused on with his practical guides:

• Step-by-step guides to scanning intentionally vulnerable applications to test the effectiveness of the scanner: OWASP Juice Shop, bWAPP.
• Step-by-step integration guides for Jira, Jenkins, GitHub, GitLab, Azure DevOps.
• Step-by-step guides to scanning web services and APIs: SOAP, REST, GraphQL.
• Examples showing how to use the Acunetix API: using Python, Bash, and PowerShell.
• Other interesting step-by-step tutorials, for example, scanning Google OAuth 2.0, scanning an application in Docker using AcuSensor IAST, how to use the new feature of Acunetix: Business Logic Recorder, and more.

Thank you for being with us this year and thank you for being our regular blog reader. We look forward to next year and to bringing you more and more innovation with Acunetix.