Vulnerability Testing, also known as Vulnerability Assessment or Analysis, is a process that detects and classifies security loopholes (vulnerabilities) in the infrastructure. For applications, this requires testing on the broad consensus about critical risks by organizations like The Open Web Application Security Project (OWASP) and The Web Application Security Consortium (WASC). Vulnerability testing tools and vendors can also propose countermeasures to remove those vulnerabilities followed by a validation test to confirm that the security issues have been resolved.
Depending on the specific requirement from the client, the vulnerability assessment vendor sets the rules of assessment and the resources it would require.
Gathering details on the specific application or application cluster, which includes specific business logic, privilege requirements and so forth.
An assessment expert uses tools to uncover deep-seated weaknesses. More complex flaws often require manual penetration testing (we’ll cover that too).
Analyzing, documenting and reporting all the vulnerabilities found.
Indusface Web Application Scanning takes it a step further by providing remediation guidelines and follow-up testing to ensure that the issues have been resolved.
If you cannot resolve it quickly (which is often the case), Indusface’s Total Application Security helps you fix it quickly with a policy in the Web Application Firewall (WAF) layer. The advantage of this goes beyond just time to fix benefit, but also provides a platform to monitor where the attacks are coming and automatically keep the attackers out permanently to try anything else based on reputation identities and history of attack attempts.
In light of the recent hacking incidents, more and more companies find application vulnerability testing and assessment important. They seek security mechanisms that exceed the traditional infrastructure limit. If you analyze some of the recent incidents, they were imminent. Think about it. We are putting applications everywhere. It changes the way conduct business today for better, but have we ignored weaknesses for far too long?
We must realize that applications, like most technologies, are vulnerable or will be vulnerable sometime in the future. And if the hackers find that before you, the business will take a hit. In fact, as applications become deeply integrated into the business process, risk has already grown. Don’t take our word for it.
According to the HPE Cyber Risk Report 2016, more than half of the studied applications struggled with security issues that are well documented for years now and should have been detected.
Evidently, most organizations either do not have the right tools to detect such vulnerability or fail to understand their business impact. A proper vulnerability testing methodology and remediation guidance is the only feasible solution here.
What’s the need for testing when your developers follow secure development practices? While most development teams believe that they follow the Software Development Life Cycle (SDLC) best practices, they undermine the frequent application updates and vulnerabilities that arise with every update. Here are some of the risks that your business faces with improper vulnerability analysis.
In a lack of proper testing mechanisms, companies often get to know about vulnerabilities after exploitation. Data breaches are a PR nightmare, but they can also affect your reputation in the long run. According to a survey conducted by OnePoll, more than 80% out 2000 people surveyed said that they were not likely to do business with an organization that has suffered data leak involving credit and debit card details. Even a small SQL injection flaw can leave the database open for exploitation. Hackers need only one file containing personal details of users to malign years of your reputation.
Did you know that Anthem will be paying over $100 million in the largest data breach settlement? Ashley Madison has agreed to pay $11.2 million for settlement in their 2015 data breach incident and Neiman Marcus will also be paying in excess of $1 million to customers whose credit card data was stolen.
These are just breached settlement numbers; businesses lose money in many other ways too. Ebay’s hacking in 2014 led to declined user activity while Target’s sales nosedived by 46%. It can take up to a year for companies to get back into the market.
Eventually, businesses lose money by share price drops, settlements, customer loss, fines, and hiring security vendors or pen testers. Wouldn’t it make sense to cover loopholes in the first place?
Every business owner understands the risks of compromised applications but do you also consider the importance of comprehensive testing too? Are you using some online testing tool? There is a bunch of automated vulnerability tools that look for superficial weaknesses and generate reports within minutes. However, most modern business applications are complex and updated frequently, such automated scans fail miserably in detecting all the security loopholes.
Web application testing, especially in applications that deal with sensitive information, requires a comprehensive approach that reaches vulnerabilities beyond what OWASP or WASC has described. That is where Manual Penetration Testing becomes critical. The following are examples of business logic flaws that automated tools would miss.
- An e-commerce site allows users to add items to cart, view a summary page and then pay. What if he could go back to the summary page, maintaining their same valid session and inject a lower cost for an item and complete the payment transaction?
-Can a user hold an item infinitely in shopping cart and keep other from purchasing it?
-Can a user lock an item in shopping cart at a discounted price and purchase it after months?
-What if a user books an item through loyalty account and get loyalty points but cancel before the transaction could be completed?
These are just some of the simple scenarios that can cause confusion and possible loss of revenue in the longer term. Any automated vulnerability assessment technology will not be able to detect such logical loopholes in the application.
New-age business and cloud companies should look for comprehensive vulnerability testing, which also deals with the logical flaws of the business. Ideally, it should combine frequent automated testing with manual penetration testing by security experts.
Indusface Web Application Scanning provides continuous and comprehensive web application dynamic security testing, which includes daily or on-demand automated scanning with penetration testing for mission-critical applications.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. He was instrumental in building the product/service and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. He has proven experience (10+ years) in the security industry and has held various mgmt/leadership roles in Product Development, Professional Services, and Sales during his time at Entrust Data card.