The importance of web application security for government agencies

The Race to Close Every Gap

Maintaining a solid cybersecurity posture is an uphill battle to close every gap in your defenses even as new threats and attack vectors appear on what seems to be a daily basis. Recent high-profile incidents such as the SolarWinds and Exchange Server attacks have shown what advanced attackers can achieve if they find a single weakness – so what could they do when a whole layer of cybersecurity is overlooked or underestimated?

Federal policymakers and regulators are well aware of the significance of tightening cybersecurity measures, hence compliance requirements like FISMA and metrics like the FITARA Scorecard. Worryingly, the latest FITARA results show that compliance with cybersecurity requirements is a weak link in federal IT efforts, with 75% of agencies scoring C or lower in this area. The massive scale of recent attacks has laid bare the weaknesses of existing approaches and highlighted the urgent need to close the gaps, even as public agencies struggle to find and retain cybersecurity talent.

A Global Attack Surface for Critical Data

Attacks on web applications are now the most common type of cyberattack, with a recent Forrester survey finding that 39% of external attacks in 2020 involved web applications. Considering that web applications are now the gatekeepers of a wealth of citizen and government data, this makes web security a top priority. At the same time, the race is on to make as many services as possible available online for citizens, with the COVID pandemic only accelerating this trend – yet every increase in web presence and web accessibility also increases the attack surface. No matter if we’re talking about a modern all-cloud platform or a legacy system accessed through a web front-end, the safety of personal, financial, and political information often hinges on the security of a web page.

A successful cyberattack can have wide-ranging consequences for any organization, but while businesses are mainly concerned with the financial and legal impact of an incident, a lot more is at stake for government systems. With data breaches on the rise, public institutions are a prime target not only for cybercriminals intent on stealing personal data but also for state-sponsored threat actors seeking to gather intelligence. Keeping government web applications secure is crucial for the safety of citizens, businesses, critical infrastructure, and the country itself.

Approaching Web Application Security Testing

The challenges of finding, testing, and securing all of an organization’s web assets can be especially daunting for heterogeneous environments where legacy applications mix and interact with modern web platforms. This is often the case in government agencies where critical computerized data systems running on mainframes can still be in production use alongside new applications, glued together by interfaces and abstraction layers of varying vintages. Even keeping these patchwork systems in operation is a big ask, let alone ensuring their security.

On a policy level, government entities often have a mature network and systems security program based on the perimeter defense approach typical of the pre-cloud era. As a relative newcomer, web application security tends to get less attention and funding, despite the mounting intensity of web-based attacks. Tried and tested network security processes are not effective when applied to web application security, where the majority of vulnerabilities affect custom code rather than known products that can simply be patched.

Web security testing has traditionally relied on penetration testers who manually explore websites and applications looking for vulnerabilities that attackers might exploit. While periodic penetration testing is still a vital part of any web security program and often a regulatory requirement for public organizations, manual testing is slow, costly, and doesn’t scale to cover the hundreds or even thousands of web assets in a large organization. Automated code-level security testing (SAST) can help, but it is only an option when the application code is available and can be readily modified to fix issues – a luxury not found in many legacy environments.

Covering All Bases with Modern DAST

Dynamic application security testing (DAST) is the only approach to web application testing that can realistically combine accuracy and scalability with broad coverage regardless of the underlying languages and systems. Modern DAST tools such as Invicti have long overcome the limitations of early vulnerability scanners to provide a flexible solution to the web application security conundrum. They are easy to deploy in any web environment, do not need access to the application source code, and deliver actionable vulnerability reports from day one.

Invicti uses Proof-Based Scanning to detect and automatically confirm the vast majority of high-impact web vulnerabilities, taking the load off overworked security teams and speeding remediation. What’s more, automated asset discovery provides a clear view of your web attack surface even before the first scan runs. Invicti also comes with a rich set of out-of-the-box compliance reports and features flexible deployment options for effective testing and centralized visibility in any combination of on-premises and cloud-based environments. 

While a mature web security program should incorporate a balanced mix of tools and processes for maximum coverage, any gaps in the toolchain could mean gaps in security, putting citizen and government data at risk. Dynamic application security testing with Invicti delivers accurate vulnerability information while also complementing any existing tools, providing vital overall visibility, and ensuring demonstrable compliance with industry standards – so you always know what you have and what you need to secure.