Vulnerability management is one of the most important aspects of an information security program. Finding flaws, determining specific risks, and then following through to ensure those risks are minimized or eliminated sounds simple on the surface, but it’s not. Web applications and the overall function of application security further complicate vulnerability management. Some businesses largely focus their efforts on network hosts while others believe that web applications should get the most attention. Among all the organizations I’ve consulted with or perform security testing for, I have yet to see anyone who has fully mastered vulnerability management.

If you’re going to find and fix the flaws across your environment and truly build in resilience, you’re going to have to:

  1. Use good testing tools
  2. Use these tools at the proper times
  3. Leverage the full capabilities of such tools and continually work to get better

In the context of application security, approaches to testing for security flaws are all over the map. Some businesses focus much of their efforts on performing source code analyses of homegrown applications. A worthy endeavor but, based on the output I’ve seen when using source code analyzers, it’s not nearly enough. Some organizations I’ve consulted with rely on their network vulnerability scanners to find application flaws. Big mistake. Still, other organizations, including large corporations with dozens of security staff members don’t test their web applications at all. Or, just as bad, they rely on their service providers to do what’s right including word-of-mouth pass/fail assertions or even high-level SOC data center audits without ever validating the true security posture of the applications themselves.

The big thing that is missing in many vulnerability management programs regardless of business size or industry is the consistent use of dynamic application security testing (DAST) tools, a.k.a. web vulnerability scanners. At best, this is an indefensible approach to security that you don’t want to be a part of. At worst, all sorts of web application vulnerabilities can be overlooked putting systems, sensitive information, and your overall business at risk.

If you are looking to build and maintain a resilient web application environment, then DAST absolutely has to be a part of your testing efforts. Years ago, I noticed that I was having to run not just one web application vulnerability scanner but two or more in order to find all the layer 7 flaws that mattered. Given what DAST can uncover and how it can help you with risk analysis along with mitigation efforts, it absolutely must be a part of your ongoing efforts. Given the improvements in the DAST space over the past decade, I’m no longer convinced that you have to use multiple scanners, but you should use at least one! The good news is that you can start small with your most critical applications and then scale out to test all applications eventually and quite easily.

Taking a “good enough” approach to application security by only performing source code analysis or network-focused vulnerability scans will most certainly fail to yield the results that you need. No doubt, source code analysis and network vulnerability scans can complement web application testing efforts. Still, based on my experience, they will not paint the entire picture.

It’s easy to try to master all areas of your vulnerability management program at once. But don’t do it! You’ll only set yourself and the business up for failure. First, perform an inventory and business criticality analysis. Prioritize the applications that need testing now and then consider the ones that might not provide access to or house sensitive information for testing in the near future.

The important thing is to come up with a plan. Reality has taught us that there’s no such thing as perfect security. However, we are at the point now where reasonable security is expected. The best application security program is one that does not allow incidents or breaches to occur. The next best – and most attainable state – is one where application vulnerabilities are discovered and promptly mitigated over time.

Ask yourself: what is your end goal? Step back and look at the blind spots and weaknesses in your web application security efforts. You’ll likely find several areas that can use some improvement. It could come in the form of getting a better handle on web server and application inventory. It might be running web vulnerability scans more often. Or, it could simply be that you need better application-specific reporting and a means for tracking remediation efforts. Regardless, DAST must be a part of the solution.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.