Managed security service providers (MSSP) are a fantastic alternative for small to medium-sized organizations whose primary objectives are to hire employees that are business-focused, not recruit teams of IT and security professionals who, whilst valuable to the security of the organization are not contributors to their core business. Outsourcing security services saves growing businesses the trouble of creating internal teams from scratch, which is not only difficult due to a major cybersecurity skill gap but also ends up with specialized personnel having very little to do on a regular basis.

However, cybersecurity evolves so quickly that many MSSPs have a hard time staying up to date. As a result, for example, there are quite a large number of MSSPs that do not include web application security as part of their services. This is primarily due to the rapid development of web technologies and the quick migration to the cloud. Just a few years ago, MSSPs were fine with focusing on network security and endpoint security (anti-malware solutions). Today, these cybersecurity disciplines are no longer more important than web application security.

Here are the 5 primary reasons why MSSPs need to include web application security in their service portfolio and why a professional web application security solution like Acunetix is the best choice as the basis of such services.

Web applications are a common attack target

In a recent study from Forrester Research, The State of Application Security 2021, web application attacks were pinpointed as the most common method of attack. This proves that while the global media talks mostly about phishing and ransomware, many businesses do not realize how important web application security is.

Another reason why the web is often treated neglectfully is the sudden shift of its importance. Just a few years ago, businesses primarily used the web for marketing purposes, sharing information, or communicating with customers. Now, the same businesses use the web for their primary revenue-generating activities and store the most sensitive information in web applications.

Attackers are, of course, aware of this, and find revenue-driving web applications a tasty treat: businesses often leave them unprotected and vulnerabilities are very common due to developers often shunning security. At the same time, most businesses have little idea about web development and leave it to third parties that are often not responsible for security-related consequences. Often applications that contain sensitive business data run on open-source engines with nobody at all responsible for their security. This chaos is a perfect environment for black-hat hackers.

You can’t cover web application security manually

Some MSSPs may think that the best way to cover web application security is by performing manual penetration tests. While it is true that manual penetration testing results in deeper security coverage, it consumes an insane amount of time. With the number of customers serviced by an MSSP and the number of websites and web applications to cover, hundreds of penetration testers would have to be working around the clock to cover all the bases for every customer.

This is also the reason why manual penetration testing tools are not the way to go for MSSPs. Professional penetrating tools like web proxies are top-notch in the right hands but it is the lack of hands that is the problem. What MSSPs need are solutions that automate the majority of alerts and cases thereby reducing the time and human resources needed to focus on critical high-risk issues, hence allowing prioritization of the most impactful and dangerous risks.

Packaged security solutions don’t cover web application security

Another assumption wrongly made by some MSSPs is that packaged network security solutions will cover web security well enough. That is not the case. While there are network security solutions that include limited-capability add-ons to cover the most common web application security vulnerabilities, these are too basic to make sure that your customer is well-covered.

Focusing your efforts on network security and treating web application security as an add-on would be a perfect approach just some 5 years ago. Now the tables have turned. Since most small businesses, especially new ones, have their sensitive data out in the cloud and have next to no on-premises solutions, network security dropped to a much lower priority. Network security still remains high for slow-development organizations such as government entities or some major corporations but not for SMBs.

Open-source solutions are not enough for web application security

Open source is a common choice for businesses, especially in the case of web applications. Web applications are often based on open-source platforms such as WordPress, which, according to W3Techs, is the basis for more than 42% of all websites.

This leads many to believe that the situation is similar in the world of web application security. After all, for example, there are excellent open-source network security solutions such as OpenVAS, which could easily rival the biggest commercial players. Unfortunately, this is not the case with web security – there are very few open-source platforms for web application security scanning and these platforms have limited capabilities. The biggest problem with them is the fact that they were made to be used as penetration testing tools, not automated solutions.

As a result, MSSPs that try to base their web application security services on open-source solutions encounter major problems with automation and ease of use and provide their customers with only a limited scope of web application security.

Why is Acunetix the best choice for MSSPs?

The only sensible way for MSSPs to offer web application security services is by using a specialized web application security product that was made especially for small businesses. Here are some of the reasons why Acunetix is worth consideration:

Secure approach to scanning production websites

Unlike high-tech companies, MSSPs very rarely run web application security tests for their customers in the SDLC stages or on test sites. This is because MSSP customers outsource not just their security but their web presence as well. As a result, MSSPs need to perform their scans on production websites.

Scanning production websites is not an easy task because a scan can easily cause an unintentional denial-of-service attack. Scanners simply need to communicate so intensively with the web application that regular customers can’t make it through and are denied access to the scanned target.

Acunetix was made to address that problem and keeps finding new approaches to make sure that production site scanning is safe. First of all, Acunetix enables scan throttling, scheduling for off-hours, and scanning using several different engines (agents) at once. This means that the scan can be performed slower (with more time between requests), at a time when there are few users on the production site, or from a location that does not cause bottlenecks. The second advantage is limiting the number of requests sent and the size of data packets sent. This helps minimize the impact of the scan on the website.

All in all, Acunetix was made to be as efficient as possible and that does not just mean its internal engine but, even more, the way that it scans its targets. This is a unique approach that is not shared by any competing products.

Gentle learning curve

MSSP security personnel have too much to do to be able to afford to twiddle endlessly with the complex configuration of security tools. They need something that they can use right there, right now. They require a simple, effective user interface with additional tools that make their life easier.

Acunetix approaches this by offering a minimal user interface with preconfigured best options. If the scan target requires complex authentication or includes complex multi-level forms with business logic, Acunetix provides very easy-to-use visual tools that let you log in and cover all the form options. MSSP personnel does not need to write scripts or spend hours learning to understand complex configuration settings, they just add the customer web targets and run the scans.

A tool that you can trust

With more than 15 years of history, Acunetix is the best established automated web application security scanner on the market, which has always been focused on the needs of small and medium-sized businesses like most MSSP customers. Other established web application security providers have solutions tailored for enterprises, which makes them not only too expensive for MSSPs but also not well adjusted to the needs of SMB customers.

Last but not least, the Acunetix Premium MSSP Console delivers a unique experience that matches how MSSPs go to market and work with their customers. A console that offers the flexibility to assign, manage, reassign, and delete targets together with automated consumption billing for the exact usage giving MSSPs true OPEX costs, rather than a lump-sum license cost in a CAPEX model.

To see whether Acunetix is the right tool for your customers, book a demo with us.

John Andrews
VP of Global Channel
John leads the global channel development team at Invicti Security (the parent company of Acunetix) and is passionate about business and culture. John has more than 20 years of experience in network infrastructure, security, consulting, channel development, account management, and marketing experience in the NA, EMEA, APAC, and emerging markets.