Digital transformation has paved the way for the adoption of several new technology trends by businesses,
including AI/ML,
robotic process automation, 5G, 3D printing, virtual & augmented reality, IoT, blockchain, connected
vehicles,
autonomous drones, etc.
Invariably, the surge in these disruptive technologies has led to a huge transformation in the cybersecurity
landscape. Some
of these technologies have made hackers’ lives easier by giving them plenty of opportunities to design
and launch sophisticated cyber attacks. In response, businesses around the world are realigning their IT
strategy
by introducing shift-left testing techniques to combat security threats early on and throughout the SDLC.
With large enterprises frequently making headlines on their data breaches, some of which result in
compromising the personal
data of millions of their end customers, many of them have made their information security policies (in
terms
of confidentiality, integrity, and availability) stringent and compliant to security standards such as NIST,
HIPPA, PCI-DSS, GDPR, and SOC. Studies show that the cybersecurity space will continue being in the top 10
technology
trends for the next decade and more.
Verizon’s 2019 Data Breach Investigations Report
[1]
shows that nearly 60% of hacking incidents are aimed at web applications. However, even today many web
application owners
are not building highly secure web applications, often due to a lack of awareness of the underlying security
risks.
Web application security and security standards
With the birth of Web 2.0 (rich internet applications powered by HTML5), about 90% of web applications and
APIs are exposed
to security risks. Consequently, data breach trends have skyrocketed across most industry domains, including
travel, retail, healthcare, banking and financial, and logistics.
Web application security aims to protect web applications and web services against various types of security
threats. The
best place to start understanding web application security testing is OWASP. The Open Web Application
Security
Project (OWASP) is a non-profit organization that aims to improve web application security. It maintains a
list
of the top 10 vulnerabilities and is considered as an industry standard to evaluate and secure web
applications,
mobile applications, and APIs.
The SANS Institute is a research and education organization that develops and maintains the top 25 most
dangerous critical
software errors, also called the CWE (Common Weakness Enumeration) Top 25. Although the above two are
different
standards, some of the vulnerabilities are common between them. These standards form the basis for security
testing
professionals to devise a security test assessment strategy for applications.
Vulnerability assessment versus penetration testing
The terms ‘vulnerability assessment’ and ‘penetration testing’ are sometimes used
interchangeably,
though they are not the same. Here is a quick analogy to understand the difference.
Consider this situation – you reach out to a security agency to check and confirm that your home is
safe (secure).
The security experts’ team starts exploring various ways to identify the possible threats or means
through
which they can enter the house. They check the quality of the grills in the windows and balcony, the roof
quality,
the quality of the locks on the main door and the terrace door, the common walls shared with neighbors, the
possibility
of somebody tailgating into your compound, etc. Upon identifying the list of vulnerabilities, they perform a
risk assessment, whereby they can analyze the severity, impact, and probability of a planned attack. This is
called vulnerability assessment, and it involves identifying the threats and doing a risk analysis. Upon
completing
the vulnerability assessment, if required, the team can go about identifying possible ways to exploit the
identified
set of vulnerabilities. For example, the team could use various tools to drill through the roof, break the
door
locks, bend or cut open window grills, cut open wooden doors, etc. to successfully enter the house. This is
called
penetration testing.
The skills and knowledge required to do vulnerability assessment and penetration testing are quite
different. Based on organizational
needs, the security testing strategy should include the right set of activities to validate applications
against
the top vulnerabilities listed by the security standards.
Popular application security testing types
There are three broad categories in application security testing:
-
Static Application Security Testing (SAST) – This is a white-box testing approach
that focuses
on Source-Code Analysis (SCA) or Binary Code Analysis (BCA) without the need to run the application,
assessing
it inside out for security.
-
Dynamic Application Security Testing (DAST) – This is a black-box testing
approach where the
running application is analyzed without having any knowledge of its workings (like an external hacker
would
do). Latent security issues in the design cannot be identified through DAST.
-
Interactive Application Security Testing (IAST) – This is a white-box testing
approach that
combines the advantages of SAST and DAST testing techniques by analyzing the code when the application
is
run, for instance, as part of a DevOps pipeline, enabling thorough security testing.
Application scanning tools
For application security testing, automated scanning tools can be used to accelerate the
validation of the application
against the OWASP Top 10 vulnerabilities and other standards. However, automated scanners cannot be
considered
as an alternative to manual security testing. Automated tools validate the application against a common set
of
vulnerabilities available in its rules engine database. But this may result in false-positive alerts and
vulnerabilities
reported with low confidence levels that need to be verified and validated manually. A security tester needs
to validate the vulnerabilities reported by the tool manually. Besides, there are several security test
cases
related to authorization, user access control, etc., that can be covered only through manual testing. This
emphasizes
the need for security testing experts to do a vulnerability assessment after running automated scanners
against
the application under test.
Popular web application security testing tools
The good news is that we have several free, open-source web application scanners available in the market.
Popular open-source
DAST tools include OWASP ZAP, Vega, Arachni, W3af, Nikto, and Wapiti. Popular commercial tools include Burp
Suite
Pro, Acunetix, NetSparker, Nessus, Fortify, and AppScan. Sonar Qube is the most popular open-source tool for
performing SAST. Popular commercial SAST tools include CheckMarx and Veracode. A comprehensive list of
various
tools available in the market can be found in this
[2]. There are several popular penetration testing tools such as Metasploit,
Core Impact, and Canvas.
Latest trends in web application security testing
Companies are increasingly aware that application security assessment is not a luxury add-on anymore but
rather a basic pre-requisite
to production deployment. By ensuring that their applications do not have the common vulnerabilities listed
by
standards such as OWASP Top 10, SANS Top 25, Vulnerability Assessment and Penetration Testing (VAPT)
assessments
not only increase the business owners’ confidence in their applications but also provide a secure
platform
on which the end-users can rely.
But considering the COPQ (Cost of Poor Quality) of security defects identified at the end of the software
development lifecycle,
organizations are moving to adopt best practices to shift-left their web application security testing,
particularly
in Agile and DevOps environments. By bringing in web application security testing (SAST and DAST) to the
early
stages of the software development life cycle and part of the DevOps pipeline, secure applications can be
built
with confidence and efficiency.
References: