How to improve application security testing when it falls short
Application security testing is a critical component of enterprise security. Find out what steps you can take to make sure your testing procedures fit the bill.
Those of us working in security like to think our efforts are all we need to find vulnerabilities, contain threats and minimize business risks.
I had this mindset early on in my security career. The thought was: Go through the motions; do x, y and z; and that will serve as a solid security foundation. I quickly learned the world doesn't work that way; action doesn't necessarily translate into results.
Certain efforts contribute to a security program in positive ways, while others burn through time, money and effort with no return. Yet, as it relates to application security, all is not lost. You can take steps as part of your program that can yield near-immediate payoffs, boost your security efforts and minimize your business risks.
It's easy to look at application security testing as a science -- a binary set of methodologies, tests and tools that can deliver what you need when executed on a periodic basis. The problem is that it's not true.
Without going into all the details required to run a strong application security program, let's look at some of the common shortcomings of application security testing and discuss what you should and shouldn't do as you move forward and improve. The following issues rank among the biggest applications security challenges.
Application security is often lumped into network security. This means application security testing is often part of more general vulnerability and penetration testing. As a result, application security doesn't get the detailed attention it deserves.
Simply running vulnerability scans with traditional tools isn't going to get you where you need to be. Organizations need to be running dedicated web vulnerability scanners like WebInspect and Netsparker, proxy tools like Burp Suite and the OWASP Zed Attack Proxy, and web browser plugins. This will enable you to perform the detailed testing necessary to uncover what are often critical web vulnerabilities that would have otherwise been overlooked.
Simply running vulnerability scans with traditional tools isn't going to get you where you need to be.
Web applications aside, mobile apps are often overlooked. I'm not sure why mobile app security is sometimes ignored. Mobile apps have been around years and often serve as a core component of a business's online presence.
Faulty assumptions about mobile app security abound, however, among them the belief that mobile apps offer only a limited attack surface because of their finite functionality, or that the apps themselves are secure because they have been previously vetted by developers or app stores. This perspective is shortsighted, to say the least, and it can come back to haunt developers, security teams and businesses as a whole.
Abandoning web testing because sites and applications are hosted by a third party. This is similar to mobile apps not being property vetted. If you're not doing the testing, somebody needs to -- and it better be the company doing the hosting or management because I can assure you, no one else is -- other than the criminal hackers continually trying to find flaws in your environment. The bad guys are probably not going to tell you about what they've uncovered until they have you backed into a corner, if ever.
Don't let bystander apathy drive your application security testing. Be accountable or hold someone else accountable and review the work.
Companies that decline to perform authenticated application testing. It may be difficult to test every possible user role, but you really need to examine all the aspects of your application eventually.
In the application security testing I conduct, I often see multiple user roles with no critical flaws. But when I test one or two more roles, big vulnerabilities like SQL injection surface. An oversight like this -- simply because you didn't have the time or the budget to test everything -- will likely prove indefensible. You need to think about how you're going to respond when the going gets rough with an incident or breach. Better yet, think about how you're going to prevent an oversight from facilitating application risks in the first place.
If you want to find and eliminate the blind spots in your application security testing, you must do the following:
Get the right people involved, including developers and quality assurance
Develop standards and policies governing application security.
Perform your testing on a periodic and consistent basis, repeatedly over time.
Keep management in the know and on your side.
A wise person once said, "Is this as good as you're going to get, or are you going to get any better?" Look at your application security testing program through this lens. Bring in an unbiased outsider if you need to.
You're probably working in the security field because it has great payoffs -- both tangible and intangible. Things change daily, and there's always something new to discover and learn. Whether you work for an employer or you're out on your own, if you're going to get better and see positive, long-term results with application security, you have to be willing to see what you're doing with a critical eye and assume there's room for improvement. Odds are, there is.
