In this week’s Whiteboard Wednesday, Coreen Wilson, Product Marketing Manager for Application Security at Rapid7, discusses the rapid pace of application development, why traditional DAST scanners are struggling to keep up, and what steps you can take today to comprehensively secure web apps leveraging modern frameworks and technologies like AJAX, ReactJS, and more.
To learn more about the tough questions you should be asking your application security vendors, check out our Application Security Buyer’s Guide.
Hi and welcome to this week's Whiteboard Wednesday. I'm Coreen Wilson, the application security product marketing manager for Rapid7 here to talk to you about assessing and securing modern web applications.
For security professionals, keeping up with application complexity is tough, especially in today's world. Back in the day web applications were built to present information to a reader—that’s it. No, or very little engagement. Nice and static and easy for the quarterly manual pen test to help with those pesky risk reports.
But let’s face it, these days organizations are building or using interactive websites. Today it’s all about user engagement. And web developers have risen to the challenge of satisfying user expectations. New versions can be deployed at a moment’s notice, bug fixes can be pushed several times a day, and user behavior can help guide the next big feature.
While cloud hosting can guarantee uptime and automatically scale as demand increases, this shift in application development and delivery has also introduced a whole new complexity of accurately assessing application risk—testing coverage.
Think about it, the evolution of traditional apps to the apps we see and use today with RESTful APIs, single page applications, microservices, and apps with complex workflows, like shopping cart sequences have driven security professionals to adopt scanning tools that allow for automation, scalability and extensibility.
But what happens if your automated testing solutions aren't covering or can’t cover of all the elements that makes your application an application? The fallback is manual pen testing which, just isn’t scalable for organizations that have 50, hundreds, or thousands of web applications.
While dynamic scanners are always attempting to keep up with these changes, inevitably there are dips in coverage while we figure out ways to keep up with ever-changing applications. Admittedly, a dynamic scanner can never actually cover 100% of an application -yet, there are always things that have to be tested manually, but not all DAST tools are created equal.
We've heard from security experts that dynamic scanner coverage has actually eroded in recent years and the gap in coverage is growing. So instead of their DAST scanner giving them accurate results to address potential risk, it's making them spend time on figuring out why the application “broke the scanner”. Does this sound like a problem you have?
Well I have some advice. Start by asking your vendor the tough questions.
How do you stay current with ever-changing apps? Today’s apps have rich client interfaces and APIs that are very difficult to address. Review your logs with your vendor and have them explain coverage, or lack thereof.
How does your solution ensure maximum coverage? Less coverage means more manual work and more manual work means more costs associated with securing them.
Bonus question: How does your solution authenticates and maintain sessions? You don’t want to babysit you application all night long to ensure scanning has been completed. And continue to ask questions.
Need help figuring out what other questions you should consider asking? Take a look at Rapid7’s Application Security Buyer’s Guide.
That’s it for this week’s whiteboard Wednesday and we'll see you next week!
