Digital transformation has paved the way for the adoption of several new technology trends by businesses, including AI/ML, robotic process automation, 5G, 3D printing, virtual & augmented reality, IoT, blockchain, connected vehicles, autonomous drones, etc.
Invariably, the surge in these disruptive technologies has led to a huge transformation in the cybersecurity landscape. Some of these technologies have made hackers’ lives easier by giving them plenty of opportunities to design and launch sophisticated cyber-attacks. In response, businesses around the world are realigning their IT strategy by introducing shift-left testing techniques to combat security threats early on and throughout the SDLC (Software Development Life Cycle).
With large enterprises frequently making headlines on their data breaches, some of which result in compromising the personal data of millions of their end customers, many of them have made their information security policies (in terms of confidentiality, integrity, and availability) stringent and compliant to security standards such as NIST, HIPPA, PCI-DSS, GDPR, and SOC.
To understand why web application security testing is important, let’s look at some statistics. Studies show that the cyber security space will continue being in the top 10 technology trends for the next decade and more. Verizon’s 2019 Data Breach Investigations Report shows that 60% of hacking incidents are aimed at web applications. However, even today many web application owners are not building highly secure web applications, often due to a lack of awareness of the underlying security risks.
Web application security and security standards
With the birth of Web 2.0 (rich internet applications powered by HTML5), about 90% of web applications and APIs are exposed to security risks. Consequently, data breach trends have skyrocketed across most industry domains, including travel, retail, healthcare, banking and financial, and logistics.
End-to-end web application security aims to protect web applications and web services against several types of security threats. The best place to start understanding web application security testing is OWASP (Open Web Application Security Project). The Open Web Application Security Project (OWASP) is a non-profit organization that aims to improve web application security. It maintains a list of the top 10 vulnerabilities and is considered as an industry standard to evaluate and secure web applications, mobile applications, and APIs.
The SANS Institute is a research and education organization that develops and maintains the top 25 most dangerous critical software errors, also called the CWE (Common Weakness Enumeration) Top 25. Although the above two are different standards, some of the vulnerabilities are common between them. These standards form the basis for security testing professionals to devise a security test assessment strategy for applications.
Vulnerability assessment versus penetration testing
The terms ‘vulnerability assessment’ and ‘penetration testing’ are sometimes used interchangeably, though they are not the same. Here is a quick analogy to understand the difference.
Consider this situation – you reach out to a security agency to check and confirm that your home is safe (secure). The security experts’ team starts exploring various ways to identify the possible threats or means through which they can enter the house. They check the quality of the grills in the windows and balcony, the roof quality, the quality of the locks on the main door and the terrace door, the common walls shared with neighbors, the possibility of somebody tailgating into your compound, etc. Upon identifying the list of vulnerabilities, they perform a risk assessment, whereby they can analyze the severity, impact, and probability of a planned attack. This is called vulnerability assessment, and it involves identifying the threats and doing a risk analysis. Upon completing the vulnerability assessment, if required, the team can go about identifying possible ways to exploit the identified set of vulnerabilities. For example, the team could use various tools to drill through the roof, break the door locks, bend or cut open window grills, cut open wooden doors, etc. to successfully enter the house. This is called penetration testing.
The skills and knowledge required to do vulnerability assessment and penetration testing are quite different. Based on organizational needs, the security testing strategy should include the right set of activities to validate applications against the top vulnerabilities listed by the security standards.
Popular application security testing types
There are three broad categories in application security testing:
- Static Application Security Testing (SAST) – This is a white-box testing approach that focuses on Source-Code Analysis (SCA) or Binary Code Analysis (BCA) without the need to run the application, assessing it inside out for security.
- Dynamic Application Security Testing (DAST) – This is a black-box testing approach where the running application is analyzed without having any knowledge of its workings (like an external hacker would do). Latent security issues in the design cannot be identified through DAST.
- Interactive Application Security Testing (IAST) – This is a white-box testing approach that combines the advantages of SAST and DAST testing techniques by analyzing the code when the application is run, for instance, as part of a DevOps pipeline, enabling thorough security testing.
Application scanning tools
For end-to-end web application security testing, automated scanning tools can be used to accelerate the validation of the application against the OWASP Top 10 vulnerabilities and other standards. However, automated scanners cannot be considered as an alternative to manual security testing. Automated tools validate the application against a common set of vulnerabilities available in its rules engine database. But this may result in false-positive alerts and vulnerabilities reported with low confidence levels that need to be verified and validated manually. A security tester needs to validate the vulnerabilities reported by the tool manually. Besides, there are several security test cases related to authorization, user access control, etc., that can be covered only through manual testing. This emphasizes the need for security testing experts to do a vulnerability assessment after running automated scanners against the application under test.
Popular web application security testing tools
The good news is that we have several free, open-source web application scanners available in the market. Popular open-source DAST tools include OWASP ZAP, Vega, Arachni, W3af, Nikto, and Wapiti. Popular commercial tools include Burp Suite Pro, Acunetix, NetSparker, Nessus, Fortify, and AppScan. Sonar Qube is the most popular open-source tool for performing SAST. Popular commercial SAST tools include CheckMarx and Veracode. A comprehensive list of various tools available in the market can be found in this listing by OWASP. There are several popular penetration testing tools such as Metasploit, Core Impact, and Canvas.
Latest trends in web application security testing
Companies are increasingly aware that application security assessment is not a luxury add-on anymore but rather a basic pre-requisite to production deployment. By ensuring that their applications do not have the common vulnerabilities listed by standards such as OWASP Top 10, SANS Top 25, Vulnerability Assessment and Penetration Testing (VAPT) assessments not only increase the business owners’ confidence in their applications but also provide a secure platform on which the end-users can rely.
But considering the COPQ (Cost of Poor Quality) of security defects identified at the end of the software development lifecycle, organizations are moving to adopt best practices to shift-left their Web Application Security Testing, particularly in Agile and DevOps environments. By bringing in web application security testing (SAST and DAST) to the early stages of the software development life cycle and part of the DevOps pipeline, secure applications can be built with confidence and efficiency.