Websites and web applications are getting more complex every year. Determining the web attack surface and securing assets all across the organization is a daunting task, especially for a small security team. Let’s find the sources of this complexity and see how you can beat it to secure all your web assets.
The days of coding a website as a few HTML files in Notepad are gone and unlikely to come back. Like software Lego bricks, existing web technologies and features are used as the building blocks of new frameworks, toolkits, and libraries. If you add to that dynamic page manipulation using browser-side scripting, most of the code rendered by the browser is generated during execution, making it that much harder to check and secure.
Gone are also the days of having all your website files on a central server. Modern websites and web applications can use hundreds of assets pulled from all over the web, including scripts, styles, templates, images, and videos. Again, most of these are only loaded at runtime, so there is no easy way of checking all the assets beforehand.
Looking at application architecture, the monolithic web applications of old are giving way to distributed, service-based architectures. With microservices, an application can be decomposed into hundreds of containerized services that are launched on demand, so there is often no way of knowing exactly what is running at any given time.
As web applications get bigger, more complicated, and more distributed, so does application development. Multiple in-house or outsourced teams can be working on separate modules and services without knowing what everyone else is doing. When you add to this the widespread reliance on open-source toolkits and libraries, the picture gets even more complicated.
Starting with the obvious, modern web applications have come a long way since static click-and-wait sites that served as the first web interfaces. Fueled by the rise of cloud and mobile, web applications are getting ever closer to the capabilities of full-fat desktop products. The constant drive to expand functionality and improve the user experience means more new libraries and toolkits – and more complexity.
As the functional scope of web applications grows, so does the volume and diversity of data they handle. Many of the early web applications were little more than web interfaces for a central database, but today’s web systems process vast amounts of data stored in multiple locations on-site and in the cloud. Instead of the closely-guarded central database, we now see business data distributed all over the web.
With entire organizations transitioning to cloud-based solutions, ensuring compliant access management has become a major concern. Company-wide HR structures need to be mapped to the right application and data access privileges, whether manually or through directory integration. When all business systems are accessible from the web, strong authentication and authorization must be used and correctly configured to prevent unauthorized access.
The Security Challenges of Growing Complexity
To secure something, you need to know at least what it is, where it is, and how it works. When you had all the website files on a central server and all your data in a central database, this was reasonably straightforward, especially if you only had a handful of user roles. But what do you do when every single aspect of the web environment has been chopped up into little pieces and spread all over the Internet?
All these moving parts are also changing frequently: sites are put up and taken down, application features are added and removed, users join, leave, or get different privileges, and regulatory requirements for storing different types of data change. And that’s without going into the implementation and configuration details of all the functionality that web systems have to provide. The truth is that in any sizable organization, nobody can possibly know the entire attack surface of the web environment – while an attacker only needs to find a single point of entry.
Beating the Numbers with Automation
When any workload gets too heavy for manual processing, automation is the obvious way to go. No sane developer would develop and maintain a large application without an automated build system, just as system administrators rely on automated scripts to run routine tasks such as backups and updates across hundreds of systems.
Web application security testing is another area with traditionally manual tasks just begging to be automated. Especially in large organizations, purely manual testing can never give complete coverage in a realistic time due to the huge number of assets and limited human resources. But when attempting to automate web application security testing, there is one major difference: you don’t have a ready list of manual tasks to automate, so automation needs to come in even before you start testing.
Automating Security with Dynamic Testing
Let’s recap: you have an unknown number of web assets spread across multiple locations and you want to test them all, even if you don’t know about them yet. The only possible approach in this case is dynamic application security testing (DAST) to explore and probe the running web environment accessible to users and potential attackers.
Automation starts with automated discovery and crawling to identify all web assets that need to be tested. This includes all web-facing entry points, so not just web forms and other UI items but also APIs and web services. Accessing them may require authentication, which presents another major challenge for automation.
Remember that modern applications are often chopped up into multiple services and when it comes to scanning, one distributed application can mean hundreds of assets. At that kind of scale, automation requires unfailing accuracy to find actionable issues without flooding the user with thousands of irrelevant results.
How Netsparker Deals with Complexity
All DAST solutions are not created equal and Netsparker is unique as the only product on the market that truly puts automation first. From day one, Netsparker has focused on features and technologies that are vital for accurate and effective automation. Its proprietary Proof-Based Scanning™ technology allows automatic verification to indicate which vulnerabilities are real and directly exploitable. Provably accurate results then provide a solid foundation for workflow automation with numerous integrations, comprehensive reports, configurable notifications, and automatic fix re-testing.
Complexity has a way of creeping up on you and overwhelming your limited resources, whether in security or any other area of IT. The only way to beat it in web application security is through relentless automation and obsessive accuracy, using dedicated tools developed with precisely this goal in mind.