As organizations continue to move traditional business processes into online and mobile applications, it’s becoming increasingly important to identify whether these applications contain cyber security vulnerabilities. As the number of applications developed explodes, the prospect of performing Dynamic Application Security Testing (DAST) on each application, with limited budgets and scarce resources, becomes increasingly daunting and seemingly impossible. Yet, with the volume and sophistication of cyber-attacks increasing at an alarming rate, to sufficiently protect themselves, organizations must be able to answer the following questions:
- Do we have vulnerabilities that an attacker could find?
- If an attacker found them, could they be exploited?
- If exploited, what is the risk and damage they will do to our business?
- What should be done to fix the vulnerability?
It’s never sufficient to rely on automated scan result alone
Typically, there are three main DAST options practiced today, and they vary in coverage, accuracy, and cost.
- Automated Scanning
- Automated Scanning with Manual Validation
- Automated Scanning with Manual Validation, and Manual Testing
When determining which option is right for each application, its common practice to take a risk-based approach to classifying applications; which is then used to influence the type of assessment each application requires. Although risk-based classification is an effective way to prioritize limited resources, it leads to the conclusion that automated scanning alone is acceptable for some applications, when in fact, this is never the case.
In today’s cyber threat landscape, it is essential that all applications are manually tested by experienced Penetration Testers, because if they aren’t many sophisticated and high-risk vulnerabilities will be missed. If an organization’s approach to DAST overlooks these vulnerabilities it will certainly leave sensitive corporate information, and private customer information, at risk of compromise. Rather than asking ‘which of my applications require DAST with manual testing?’ You should ask the question ‘How frequently does each application need DAST with manual testing?’. This approach enhances standard practice by using a risk-based classification to prioritize the order and frequency in which applications receive DAST with manual testing and ensures that all applications receive this level of screening at least once.
Automated scans consistently miss high-risk vulnerabilities
At OpenSky, we’ve hundreds of examples that form a clear pattern; automated scans, even with manual validation, consistently miss high-risk vulnerabilities that leave organizations exposed.
Automated scans are well suited to efficiently finding particular types of application vulnerability including Cross-site Scripting, SQL Injection, and Server Side Request Forgery. Automated scans also identify particular misconfigurations including incorrectly-implemented TLS or the absence of recommended security-focused HTTP headers and cookie attributes. However, automated scans fail to identify many complex vulnerabilities including Authentication Bypasses, Access Control Weaknesses, and flaws in business logic. Also, automated scans alone contain scores of false-positives, and use generic risk ratings that can lead to significant levels of wasted effort if not identified and addressed. Manual validation of automated scan results by security professionals removes false-positives and adjusts risk ratings to an organization’s particular context, but does not improve coverage.
And leave organizations exposed to the risk of damaging cyber incidents
In each example presented in the figure above automated scans with manual validation of results would have left the organization’s in question with a false sense security, and exposed them to the risk of dangerous and damaging cyber security incident and data breach.
In our first example, a traditional web application, the automated scans missed the fact that any authenticated user could exploit a combination of thus far unknown vulnerabilities to gain full administrative access to the application, as well as complete read and write access to the applications database; a database that contained data for all the organization’s customers along with plain text versions of their passwords!
In our second example, a web service and web portal, the automated scans did find a high-risk SQL Injection vulnerability that would allow an unauthenticated user to read and modify all the highly sensitive information the application contained, however, it missed two other equally serious vulnerabilities only found during manual testing. Each of these carry the same serious business risk and represent three ways that an unauthenticated party could read and modify sensitive data within the application from anywhere in the world.
In our third example, a mobile application and third-party cloud-based API, again; the automated scan did identify a severe Server Side Request Forgery vulnerability, but missed multiple ways to gain read and write access to all of the information stored behind the cloud-based API. Manual testing proved that it was possible to bypass the authentication process entirely, and that sensitive data was being downloaded to the device even before authentication had occurred. Furthermore, it was possible to access the application source code and the intellectual property within. All that was required to achieve all of this was access to a mobile device with the application installed.
Establish a risk-adjusted frequency and manual test all of your applications
These examples demonstrate that, while it is necessary to find and fix the vulnerabilities identified by automated scans, it is critical to be aware that it is far from sufficient. Without also performing manual testing with experienced Penetration Testers you’ll miss dangerous and damaging vulnerabilities buried in the heart of your applications.
Today, all organizations face the same reality; digital business is moving into online and mobile applications that need protection with limited funding and scarce resources. Understand and recognize the limitations of automated scans and establish a risk-adjusted frequency for the manual testing of every application in your application portfolio.