The 2018 Global Security Report from Trustwave found that all web applications are vulnerable to attack. Yes, you read that right. All applications had at least one vulnerability, and the average number of vulnerabilities found per application was eleven.
The report also identified a dramatic increase in the number of vulnerabilities reported in 2017. This is largely due to the drastic increase in the number of people using web applications and in the number of web applications on the market.
To protect your web application from attackers, your web application testing must be comprehensive, analyzing your application from many angles. A “one and done” approach is not enough. A proper method includes penetration testing, vulnerability assessments, and application vulnerability correlation.
Web application penetration testing: It really is that important
A penetration test, or pen test, is a simulated attack against your web application. Previously, penetration testing was mostly performed on networks, rather than the applications running on those networks.
The purpose of a pen test is to identify vulnerabilities in your application exploitable from an outside attacker. Penetration testing can be performed against the various types of code and systems used in your application, such as APIs and servers.
Penetration testing at the application level has become more common, thanks to the introduction of the Secure Software Development Lifecycle (SSDL). SSDL gives security greater importance during all phases of application development and maintenance.
Best practices dictate web applications should undergo penetration testing once every quarter. But the reality is quite different. A recent study discovered that most organizations do not follow this advice, with about one-third of those surveyed only pen testing their applications once per year.
Pen testing usually involves five phases:
- Planning and data gathering—Define the goals of the penetration testing. Which systems will be included? What testing methods will be used? Gather data on the attack target, which may include the network or domain name, for example.
- Scanning—Tools are used to gather more data and information on the target. Examples include a vulnerability scanner and DAST tools, which are discussed in more detail in the next section.
- Gaining access—Web application attacks such as Cross-Site Scripting or SQL Injection are launched to expose vulnerabilities. Pen testers try to expose these vulnerabilities by stealing data or increasing permissions. The goal is to understand how much damage can be done.
- Maintaining access—Determine if the exposed vulnerability can be used to achieve a persistent presence in the application. In other words, can the attacker get deep within the web app, accessing sensitive data and causing more harm?
- Covering tracks—The attacker takes care to remain undetected. Changes made to the system must be returned to a state that will not raise a red flag.
Penetration testing results in a formal report that details the vulnerabilities that were exploited, how long the tester was able to remain undetected, and the sensitive data exposed. This information is used to remediate vulnerabilities and improve the security of the web application to help protect against real attacks in the future.
Penetration testing methods include:
- External testing—Only systems and assets that are visible on the internet, such as the web application itself, are targeted. The goal of the testing is to gain access to the application and its data.
- Internal testing—The pen tester has access to the application behind the firewall. A potential scenario could be a rogue employee or stolen credentials from an employee.
- Blind testing—The pen tester is given the name of the company, but nothing else. This simulates an actual application attack in real-time.
- Double-blind testing—This is similar to a blind test, but the security team is not made aware of the simulation. They have no time to prepare for the attack.
- Targeted testing—The penetration tester and security team work together, informing each other of steps taken to attack the application and to defend against the attack. This serves as a training exercise that provides real-time feedback during an attack.
Penetration testing is, for the most part, a manual process. Human testers need to apply a higher level of skill to properly identify all of the exploitable vulnerabilities in a web application. But there are tools available to assist with penetration testing:
- OWASP ZAP—The OWASP Zed Attack Proxy (ZAP) is a free security tool that is maintained by hundreds of volunteers around the world. It is a great resource for pen testers to help identify security vulnerabilities in web applications.
- Burp Suite—Burp Suite is a graphical tool for web application security testing. There is a free version and an upgraded version you can purchase. The free version is very limited, but the advanced version can perform automated attacks on a web application. The tool can detect SQL Injections, Cross-Site Scripting, and other vulnerabilities. Feedback-driven scanning logic mimics a human tester.
- Code Pulse—Code Pulse is an open-source tool that automatically detects coverage information during a pen test. As code is exercised, a visual representation of your application’s attack surface is updated in real-time, informing pen testers which parts of the application has been tested.
Vulnerability testing: How much do you really need to do?
A vulnerability assessment identifies security flaws in a web application. This is accomplished through application vulnerability testing.
There are many tools on the market to assist with threat and vulnerability assessment. The only way to make sure that your application is not leaving your users (and your company) open to attackers is to use a combination of tools.
Why? Because different tools identify different problems. A combination of tools provides comprehensive web application security. Tools that should be used include:
- Static Application Security Testing (SAST) tools—These examine the source code, byte code, or application binaries for security vulnerabilities. Examples include Fortify SCA, CodeSonar, and Veracode. They look for known vulnerability patterns that developers may not be aware of. They are scalable and automate part of the testing process by scanning code without manual activity. However, SAST tools tend to identify a high number of false positives, and findings need to be analyzed and prioritized, requiring time and resources.
- Dynamic Application Security Testing (DAST) tools—DAST tools approach the application from the outside as it runs, simulating a real attacker. Examples include Burp Suite, HP WebInspect, and Appscan. Because DAST tools require a running application, they cannot be used until development has reached a certain stage, and they will not help identify issues early on.
- Interactive Application Security Testing (IAST) tools—These tools combine SAST and DAST tools, using instrumentation technology to use information inside the application while it is running to find vulnerabilities. Some of the companies offering integrated solutions for IAST testing are Acunetix, HPE, and IBM. IAST tools identify fewer false positives and provide more comprehensive code coverage. But the technology behind these tools can have a negative impact on application performance. The testing experience may not be identical to the actual user experience due to these performance issues.
- Software Composition Analysis (SCA) tools—Third-party components, such as open-source libraries and frameworks, are often used in web application development to speed up the development process. This is a fine approach, but these third-party components need to be kept up to date and scanned for vulnerabilities. Assuming someone else has taken the necessary steps to make sure a given library or framework is secure exposes your application to security risks. It is the equivalent of inviting a stranger into your home. SCA tools analyze the source code, libraries, and frameworks used in an application to identify security vulnerabilities or licensing issues before the application is deployed. The only caveat here is you need an accurate inventory of third-party components so you can make sure that all external pieces are examined. Examples include Black Duck and Sonatype.
Each of these types of tools has strengths and weaknesses, making a blended approach best. This gives you the ideal coverage for your application and reduces the risk of exposure to threats and vulnerabilities. Additional details on these tools are available in our blog.
Application Vulnerability Correlation: What is it and how can it help you?
All of these tools and testing are important for developing a secure application. But the management of these tools and the volume of reports (and the volume of findings within each report) they produce can be a challenge.
Application Vulnerability Correlation (AVC) tools are a new strategy identified by Gartner to prioritize defects in code and to streamline the application security and vulnerability management process. Basically, AVC tools solve the dilemma of managing multiple tools and their reports.
- Deduplication—Duplicate results from the multitude of reports are automatically removed. You get one report with a single set of results. The tool works across multiple testing techniques, including SAST, DAST, IAST, SCA, threat modeling, and manual review. Penetration testing results can also be manually entered or results from pen testing tools can be automatically pulled in through a plugin.
- Correlation of SAST and DAST results—SAST tools identify potential vulnerabilities, while DAST tools identify which of those vulnerabilities are actually exploitable. Combining all of these results through a process called “hybrid analysis” lets you know which threats are real and of the highest priority.
- Remediation management—AVC tools identify the specific lines of code where vulnerabilities exist and neighboring flaws and vulnerabilities. A centralized console gives you the ability to assign, track, and monitor the progress of remediation.
- Workflow integration—Integration with popular environments such as Eclipse makes it easy for developers to fix problems. A tool that embeds into Continuous Integration environments and the Jira issue tracking tool provides additional streamlining. Integration with the Jenkins build server allows you to kick-off analyses within Jenkins.
- Reporting—A wide variety of reports make it easy to sort through testing results and track remediation efficiently. Reports on how long it takes to remediate issues, for example, help you make sure remediation is happening quickly.
- Compliance checks—Automatically check your codebase against regulations such as HIPAA, the DISA-STIG, and the PCI-DSS. Violating lines of code are flagged, and the specific violation is identified. Suggestions are made to achieve compliance.
Obviously, you want to use a tool that offers robust functionality and reliable technology. Gartner identified Code Dx as a leader in the AVC category, as well as a leader in the Application Security Testing Orchestration category.
The thought of dealing with the results from penetration testing and vulnerability testing can make your development and security teams run for the hills. But comprehensive testing is necessary if you want to create a secure application that won’t leave your users and your reputation exposed. An application vulnerability correlation tool simplifies the management of pen and vulnerability testing, bringing your team out of hiding. Thoroughness and efficiency go hand-in-hand with AVC.