Security testing to most cyber pros may seem like a no-brainer, almost like table stakes. But in reality, it’s far from the truth. Despite the hundreds of exposed web applications and APIs in our attack surfaces, many assets remain dangerously untested and vulnerable to cyberattacks. With AI on the rise, this number will only increase.
Our team recently polled more than 100 cybersecurity professionals in the UK who clearly stated that threats to their web applications are of high concern. Yet, most security teams only manage to test these applications on a monthly basis, leaving a significant portion of applications vulnerable, highlighting a critical gap in our cybersecurity programs.
So why can’t we manage to properly test?
Attack surfaces have always been a moving target. They fluctuate as organizations expand their tech stacks and integrate with other customer and partner systems. But in the long-run they only grow in size, making it difficult to keep up.
The same pool of UK cyber pros revealed that their organizations are struggling to keep up with the sheer volume and dynamic nature of web applications. In fact, 54.2% of respondents admitted that the number of web applications in their environment has become too large for adequate testing.
Other significant barriers include the number of APIs tested and the time required to test each web application, cited by 59.8% and 55.1% of respondents, respectively.
The poll also revealed a shocking fact: these organizations experience significant security events quarterly related to their web application, which can take up to eight hours to fix.
So where’s the testing?
Organizations use a variety of methods to identify vulnerabilities, misconfigurations, and other weaknesses in web applications, including dynamic application security testing, interactive application security testing, and penetration testing.
Yet, more than a quarter the respondents we polled admitted lacking a formal process for testing the security of their web application. Nearly half said they rarely use security testing tools or methods to uncover vulnerabilities in their web applications.
The reasons cited for infrequent testing and limited coverage include the following:
- Too many apps and APIs: The sheer number of applications and APIs orgs need has become overwhelming.
- Not enough time: Time constraints prevent thorough and frequent testing.
- Frequent app updates and changes: Constant updates and changes to applications make it difficult to maintain a consistent testing schedule.
- Insufficient staff: A lack of skilled personnel to conduct extensive testing.
- Budget limitations: Financial constraints restrict the ability to invest in comprehensive testing tools and resources.
Time and resources constraints aside, we have to think of improving testing frequency and effectiveness and applying automation as non-negotiable. A few best practices include:
- Continuous monitoring: Ongoing visibility into the attack surface, enabling organizations to stay proactive and guide remediation activities effectively. Continuous monitoring helps in identifying vulnerabilities early, reducing the risk of successful attacks.
- Production testing: Testing in the production environment, rather than in sandboxes or offline, ensures that all elements affecting a web application are taken into account, including databases, open-source libraries, and authentication mechanisms. This approach offers a more accurate representation of potential vulnerabilities and their impacts.
- Invest in DevSecOps: To accelerate development cycles and improve time-to-market, organizations have invested in DevOps software to publish code more quickly. But they have not invested in security software (DevSecOps). Incorporating security into the DevOps pipeline is crucial for ensuring that rapid development does not come at the cost of compromised security.
Take a step back
The big message here: our organizations have become increasingly exposed today, and existing testing methods are inadequate to secure our environments.
Automated testing methods are not table stakes. A quick shift can offer more comprehensive coverage, faster identification of vulnerabilities, and quicker remediation processes.
It can streamline labor-intensive manual processes by performing continuous or frequent testing of all web apps and associated APIs in the environment, accurately identifying risks, and filtering out low-priority issues or events.
Automated tests promises to improve an organization’s security posture, and relieve pressure on the entire security team.
Graham Rance, vice president, global pre-sales, CyCognito
