DevSecOps : How WAF and Application Security Scan fits in
While organizations are increasingly aware of security and the impact unpatched vulnerabilities could have on their business, it is still nascent in many organizations – even those with mature development processes. Automated tests are essential in the Agile, CI/CD world where deployment cadence and confidence in the deployment depends a lot on the quality of tests. In this context, how good is your automated application security testing?
Security Risk Assessment: Scanning & PT
Dynamic scanning tools, like Web Application Scanners (WAS), are used during the QA, staging/pre-deployment, and production environments. Web Application Scanner will probe for vulnerabilities from the outside like an attacker would and should be an indispensable part of the DevSecOps (DevOps with security awareness) process. Manual pen testing will detect issues in business logic and complex workflows that automated tools struggle with and needs to be done to ensure maximum coverage.
Some of the essential features for a WAS to be part of DevSecops other than the obvious ones like coverage, depth, etc. are
- Consistency of findings
- Run a subset of tests or scans. This is useful for cases where organizations need to focus on the most critical issues, a ‘’bug bash” scenario, and for quicker results if required.
- Verify fixes by rerunning very specific tests (Security regression)
- Automate much of the manual pen testing results
- Integrate with the tooling that already exists.
App Security Risk Protection/Mitigation: WAF
DevSecOps also deals with mitigations viz. how to protect against vulnerabilities found in production/post-deployment. This is done through security solutions at various points in the path from the user to the application like edge firewalls, Web Application Firewalls (WAF), or agents in the application. Web Application Firewalls inspect and filter layer 7 (HTTPS) traffic to protect web applications from malicious traffic including the vulnerabilities reported by WAS and DDOS attacks.
WAF not only gives breathing space for fixing known vulnerabilities found by scanning and other tests, but it also protects against vulnerabilities that are found only by attackers in production. For Organizations with multiple applications, the vulnerability will likely exist in many other sister sites. Scrambling to fix, test, and deploy under the gun is not pleasant.
WAF will detect and block attacks from the edge and, even if pre-existing protection is not available, custom protection once is written can protect all the sites behind WAF. In fact, integrating the WAS results with WAF allows speedy, automatable, targeted protection for known issues.
The above also illustrates why security testing only in the development lifecycle is not sufficient; new vulnerabilities and ways to exploit are being discovered all the time. This could even be because of a vulnerability in third-party components/frameworks that the application uses eg. the recent Apache Struts vulnerabilities.
A pet peeve – I read a few blogs about dynamic languages and memory leaks, memory bloat where they talked about how an app only needs to be stable for the longest deployment window – which is shrinking, btw! Of course, I can see it from the business pov since these issues are typically very onerous and time-consuming to chase down and fix, and the temporary solution of increasing resources works. All of us have taken calls like this at various times but makes you wonder how many other such decisions are taken in projects under time pressure?
Organizations that are just starting down the automated testing path are probably getting QA to do some security testing. Even here there is immense value in running automated scanners periodically and having server protection like WAF, with the added bonus of the solution being ready to become part of automated testing and CI when the organization is ready.
Continuous deployment with security is where everyone is moving towards, and Indusface WAS and WAF can help you on that journey.