Vulnerability Testing, also known as Vulnerability Assessment or Analysis, is a process that detects and classifies security loopholes (vulnerabilities) in the infrastructure. For applications, this requires testing on the broad consensus about critical risks by organizations like The Open Web Application Security Project (OWASP) and The Web Application Security Consortium (WASC). Vulnerability testing tools and vendors can also propose countermeasures to remove those vulnerabilities followed by a validation test to confirm that the security issues have been resolved.

Broadly, Vulnerability Testing can be categorized in the following steps:

What is Vulnerability Assessment

 

  • Defining the goals or objectives of the process

Depending on the specific requirement from the client, vulnerability assessment vendor sets the rules of assessment and the resources it would require.

  • Gathering all the required information

Gathering details on the specific application or application cluster, which includes specific business logic, privilege requirements and so forth.

  • Testing application

Assessment expert uses tools to uncover deep-seeded weaknesses. More complex flaws often require manual penetration testing (we’ll cover that too).

  • Reporting

Analyzing, documenting and reporting all the vulnerabilities found.

  • Remediation Support

Indusface Web Application Scanning takes it a step further by providing remediation guidelines and follow-up testing to ensure that the issues have been resolved.

  • Virtual Patch

If you cannot resolve it quickly (which is often the case), Indusface’s Total Application Security helps you fix it quickly with a policy in the Web Application Firewall (WAF) layer. The advantage of this goes beyond just time to fix benefit, but also provides a platform to monitor where the attacks are coming and automatically keep the attackers out permanently to try anything else based on reputation identities and history of attack attempts.    

In light of the recent hacking incidents, more and more companies find application vulnerability testing and assessment important. They seek security mechanisms that exceed beyond the traditional infrastructure limit. If you analyze some of the recent incidents, they were were imminent. Think about it. We are putting applications everywhere. It changes the way conduct business today for better, but have we ignored weaknesses for far too long?

We must realize that applications, like most technologies, are vulnerable or will be vulnerable sometime in the future. And if the hackers find that before you, business will take a hit. In fact, as applications become deeply integrated into business process, risk have already grown. Don’t take our word for it.

According to the HPE Cyber Risk Report 2016, more than half of the studied applications struggled with security issues that are well documented for years now and should have been detected.

Vulnerability Testing Survey

Evidently, most organizations either do not have the right tools to detect such vulnerability or fail to understand their business impact. A proper vulnerability testing methodology and remediation guidance is the only feasible solution here.

 

Why is vulnerability testing critical?

What’s the need for testing when your developers follow secure development practices? While most development teams believe that they follow Software Development Life Cycle (SDLC) best practices, they undermine the frequent application updates and vulnerabilities that arise with every update. Here are some of the risks that your business faces with improper vulnerability analysis.

Customer Loss

In lack of proper testing mechanisms, companies often get to know about vulnerabilities after an exploitation. Data breaches are a PR nightmare, but they can also affect your reputation in the long run. According to a survey conducted by OnePoll, more than 80% out 2000 people surveyed said that they were not likely to do business with an organization that has suffered data leak involving credit and debit card details. Even a small SQL injection flaw can leave database open for exploitation. Hackers need only one file containing personal details of users to malign years of your reputation.

Financial Damage

Did you know that Anthem will be paying over $100 million in the largest data breach settlement? Ashley Madison has agreed to pay $11.2 million for settlement in their 2015 data breach incident and Neiman Marcus will also be paying in excess of $1 million to customers whose credit card data was stolen.

These are just breach settlement numbers; businesses lose money in many other ways too. Ebay’s hacking in 2014 led to declined user activity while Target’s sales nosedived by 46%.  It can take upto a year for companies to get back into the market.

Data Breach Impact

Eventually, businesses lose money by share price drops, settlements, customer loss, fines, and hiring security vendors or pen testers. Wouldn’t it make sense to cover loopholes in the first place?

 

How to use vulnerability testing effectively to avoid attacks?

Every business owner understands the risks of compromised applications but do you also consider the importance of comprehensive testing too? Are you using some online testing tool? There is a bunch of automated vulnerability tools that look for superficial weaknesses and generate reports within minutes. However, most modern business applications are complex and updated frequently, such automated scans fail miserably in detecting all the security loopholes.

Web application testing, especially on applications that deal with sensitive information, requires a comprehensive approach that reaches vulnerabilities beyond what OWASP or WASC has described. That is where Manual Penetration Testing becomes critical. Following are examples of business logic flaws that automated tools would miss.

- An e-commerce site allows users to add items to cart, view a summary page and then pay. What if he could go back to the summary page, maintaining their same valid session and inject a lower cost for an item and complete the payment transaction?
-Can a user hold an item infinitely in shopping cart and keep other from purchasing it?
-Can a user lock an item in shopping cart at a discounted price and purchase it after months?
-What if a user books an item through loyalty account and get loyalty points but cancel before the transaction could be completed? 

These are just some of the simple scenarios that can cause confusion and possibly loss of revenue in the longer term. Any automated vulnerability assessment technology will not be able to detect such logical loopholes in the application.

New-age business and cloud companies should look for comprehensive vulnerability testing, which also deals with logical flaws of the business. Ideally, it should combine frequent automated testing with manual penetration testing by security experts.

 

Web Application Scanning with Manual Penetration Testing

Vulnerability Penetration Testing

Indusface Web Application Scanning provides continuous and comprehensive web application dynamic security testing, which includes daily or on-demand automated scanning with penetration testing for mission critical applications.

Start Free Forever Plan

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.