Web security in 2016 is very different from what it was like in 2006, 1996 or even further back. As technology evolves and leaps forward, unfortunately, so do vulnerabilities. Prevention strategies that were sufficient ten years ago might not hold up well in the face of fast-paced progress. Our society is becoming increasingly networked, which broadens the scope of potential exploits. All this warrants a new perspective on security based on an understanding of how the field has changed and how to respond to new challenges. In this article, we explain how web security has evolved and share best practices that are key to staying safe online.
1. FREQUENCY OF TESTING
Continuous security with automation
One-off penetration testing
The frequency of testing might be the greatest and most crucial change the evolution of web security has brought. Not that long ago, quarterly and even yearly penetration tests were very common and were not considered inadequate, but this is not the case anymore.
New vulnerabilities emerge all the time, which is why continuous security testing is necessary to stay safe online. Unlike traditional tests, regular scans are automated and faster than in the past, allowing you to keep an eye on security while having plenty of time to focus on developing awesome stuff. Imagine security is like an onion; using automation to be able to keep up with developments in web security is just one of the many layers that make up a complete security strategy. Finding services that fit your team and support your everyday work is an important step towards shifting to a more security-focused work routine.
2. SECURITY MINDSET
Back in the day, security was most often the domain of a highly specialised team (or individual!) responsible for keeping the organisation safe from attackers. Other teams had little to do with security matters and were not usually up to date on the latest developments and best practices.
Nowadays, security permeates all aspects of day-to-day work and is present in every step of the development process. It takes time and effort to educate teams and incorporate an updated work routine, but fear not, it’s worth it! Shifting to a security-oriented mindset demystifies security, increases risk awareness and makes it easier to take action if your site’s security ever becomes compromised. While security teams remain the main line of defense, every organisation can benefit from introducing security into other teams’ work.
However, your work with security need not, and should not, stay confined to your company. Add layers to your security onion! Bug bounty programs and platforms like HackerOne, Bugcrowd and Detectify Crowdsource are incredibly valuable resources for organisations looking to improve their security. You will never be able to recruit ethical hackers to a 9-5 job, but they can still help you out. Detectify Crowdsource draws on the community’s knowledge by building crowdsourced modules into the Detectify service. Finally, you might want to consider hiring manual pentesters to complement your staff’s knowledge and make your work with security more comprehensive. The layers of your security outline might look something like this:
- Security awareness within your team
- Detectify Crowdsource
- Bug bounty programs
- Manual pentesting
As a result of security being the sole responsibility of a specialised security team in the past, it seemed complicated and perhaps even slightly intimidating. High prices of security solutions reinforced the idea of security as a totally idiosyncratic field and also rendered decision-making difficult and expensive. Adjusting one-off manual pentests to specific needs or making changes was not easy without help from experts.
Luckily, a lot has changed. Services like Detectify offer easy-to-use interfaces that make working with security simple and intuitive, while also providing knowledge that can help users feel more comfortable tackling security issues. Using security tools is no longer an expensive and time-consuming endeavour, but instead gives your team additional support in their daily work. The flexibility of automated security services like Detectify makes it easy to adjust the testing to your needs, with options to add subdomains, only scan specific areas, or scan behind login.
Thinking of new vulnerabilities and exploits might worry you, but it is important to keep in mind that working with security has never been this thorough and accessible. With the support of automated security testing and ethical hackers’ knowledge, you can introduce a security-oriented way of thinking into your organisation and successfully work with security. Go hack yourself!
Interested in using automation to support your work with security? Sign up for a free trial!
If you have any questions about implementing security into your workflow, let us know at hello[at]detectify.com.