Search Go hack yourself with Detectify
×

A web security blog from Detectify

The Buyer's Guide to Scalable Application Security

Jocelyn Chan / July 2, 2021

Detectify is helping tech organizations bring safer web products to market by providing crowdsourced, cloud-based, continuous web app security. Here’s a buyer’s guide on how you can get scaleable application security in 2021 and beyond.

There are so many appsec tools out there with the same features. It’s hard to see value clearly amongst all the noise. A valuable security tool will speed up product to market, scale out security responsibilities across the tech organization, and encourage collaboration internally and with external security experts to gain actionable insights. Check out the podcast segment that goes into detail of the buyer’s guide to application security.

Even knowing where in the SDLC to start is a challenging decision. Let’s take a closer look with this buyer’s guide and success measures on how security defenders cut through the noise and find scalable application security tools that covers as much of the checklist as possible:

Evaluation checklist:

1. Are you covered where you’re most likely to get hacked?

Should you focus more on securing the right or left? No, this isn’t a political debate… 

Your end-user trusts you to build a secure and seamless user experience, and this is also where attackers will begin. This is also a good starting point for your internal defenders. 

Production is typically overshadowed by obsession to push the perfect thing to market without security flaws and that surely isn’t going to break right? The production environment is even more important today because that’s where breakers are breaking. It’s where you have many legacy applications or unaccounted for and forgotten websites deployed by another team (e.g., marketing) that slipped the security team’s watch. 

2. Get an inventory of your tech stack to find shadow IT and verify what’s exposed

Great, now that you’ve identified production as to where you want to begin, you need to know what the hey is all the live code you are exposing. What do you have in your house? If you don’t have a way to take inventory, then this is the sign you’ve been waiting for.

You may THINK you know what is in your tech stack, and often defenders may get an unpleasant surprise with shadow IT. You may see Java, some Flash, or it could have been WordPress or one of those convenient plugins.

top 20 technologies detectify has security modules forimage: Top 20 technologies which Detectify with the most security tests generated by the Crowdsource community

You can find old and existing legacy applications in which you’re trying to port into a cloud environment or some ad hoc system in which you’ve pieced together from random custom-built applications. 

Statistics about Shadow IT by G2image: Shadow IT usage statistics from G2

Travis on taking inventory:

“You want to get an inventory of what’s in your tech stack including what you build and what you host. You can either map it out individually, directly from your zone files that you’re able to pull from your hosting provider or use an automated system to take account of it. Once you know how wide your domain structure is, can you start assessing the vulnerabilities that are potentially sitting there.”

3. Does the tool show you what an attacker can leverage?

It’s one thing to know what you expose; it’s another thing to be able to be two steps ahead of an attack by seeing and remediating gaps before they get exploited by a malicious actor. The best way to do this is getting it from a hacker-driven source (sure, we are bit biased since we have our own trusted community!).

Depending on your organization’s security maturity, you may use all or start with just one of these modern appsec tools:

Bug Bounty Programs

Bug bounty is not just a buzzword. They’ve grown in popularity over the last few years, and tech organizations even set it as a goal to build “bug bounty-grade” products. 

However, starting with a bug bounty program right away could be overwhelming for your organization if it’s not trained on application security nor streamlined triaging practices in place. This requires a certain level of security maturity and budget as bug hunters also have expectations that their reported bugs will be fixed, and they will get rewarded accordingly for findings.

Responsible Disclosure

If you cannot run an entire bug bounty program just yet but are curious to know what hackers can see, consider a Responsible Disclosure Program. All this takes to set up is a webpage that will tell researchers what you are interested in receiving bugs on, what’s out of scope, and who to contact when something is found.

Unlike a bug bounty program, this method doesn’t promise any rewards, but it promises safe haven for hackers who will hack with good intentions to disclose what they’ve found and within the legal bounds. 

Automated web app scanner that will verify exploits

To get a true view of what’s visible to attackers in production and is easily exploited with automated tactics, you need something that will give you high quality insights. There are efforts in the industry to limit all the noise by adding contextual testing methodologies like payload-based testing. This kind of testing will take an actual hacker payload to exploit vulnerabilities safely that don’t take down your production. The result? You will only get alerts if vulnerabilities are verified as exploited.

You want an always up-to-date scanner so you don’t have to be. And to that, you need others who can also think like a hacker. Detectify helps 1700+ companies gain security visibility this way. Sign up for a free 2-week trial to see the difference.

4. Can you integrate it and pick up velocity?

Security information is only helpful in the hands of those who need it, like the engineers diligently building your next big thing. Integrating detailed vulnerability alerts into popular dev tools like JIRA, Slack, or via the API will help you keep up velocity from detection to fixing.

The best way to activate speedier security fixes is verifying bugs in production with evidence that the vulnerability is exploitable. In addition to this, give tips on fixing it to encourage immediate prioritization of business-critical issues.

Travis:

make sure that the relevant and digestible information is in front of the right people at the right time. That’s going to set your security program apart. It will give your engineers digestible information they can action upon almost directly, because they’re able to see what the request response code that is coming out of it.”

WAF doesn't understand security context

image: Detectify users will get details on the request and response from each of the vulnerabilities detected in scanned apps

5. How will this improve the working pains of your stakeholders?

Often tools aren’t curated by the end-users, so extra consideration should decide how you and your stakeholders want to measure success and whether they will use it.

Suggested success measures:

  • # vulnerabilities found over time vs. resolved
  • Time spent remediating (this can move quickly over time if the information is provided and acquired)
  • Vulnerabilities found by internal teams vs. bug bounties or ethical hackers
  • Peace of mind
  • Building products that can be launched onto bug bounty platforms

Gone are (should) be the days where you throw things over the fence in a PDF over to the teams that ultimately need to fix the security issues. This is the conventional security method that we need to get away from because it’s not collaborative or engaging. Working with devs and having security measured in agreed goals will get you further… and come on, no one likes a 124-page report!

6. Buy something scalable! Do engineers get threat info in a digestible format so they can DIY?

Security is not a one-person or one team’s job; otherwise it will remain a blocker. New security tooling should facilitate teamwork and shared responsibility of security across the org to have a whole force behind defending the company at every stage. 

Part of that empowerment is providing them actionable insights they can work with containing verified evidence with remediation tips and always up-to-date from expert sources.

7. New threats appear every day so get that same frequency with vulnerability test updates

It’s not unreasonable to get security testbeds updated throughout the day, like Detectify. Our security research team sets importance on getting critical information to customers as soon as possible. Today they are building tests within 15-minutes of verifying the POC received from the hacker community, and activate the testing to customers. This lets our customers, especially ones running DevOps to have a test bed that updates frequently to match their deployments that occur several times a day.

Vulnerabilities are discovered by the minute, and learning about them simultaneously as the hacking community is crucial for being steps ahead of attackers. Detectify applies this by working together with an invite-only community of the best ethical hackers in the world to keep a finger on the pulse of web vulnerabilities.

8. Does it improve your security culture? 

Instilling a tech culture that’s positive towards security best practices can be successful if based on collaboration. Most security mature leaders encourage a “no blame, no shame” policy so that people are encouraged to be accountable and take action, instead of sweeping things under a rug. 

Ways to be more collaborative:

  • Use a shared portal that shows a dynamic report of detected web vulnerabilities. It should allow teammates to update if they’ve fixed things or accepted risk in the UI.
  • Invite ethical hackers to share vulnerability information. By opening up knowledge sharing and working together with ethical hackers, you will get access to relevant bugs and critical findings that you’ve never even thought of, especially logical ones.
  • To make security a priority, you need to make it visible – not taboo! You can create company-wide dashboards that report on security statuses for transparency and opportunities for improvements rather than punishment and shame.

How about success?
What does the benchmark look like for appsec tools in 2021?

We’ve gone through the guide on what to look for when buying appsec tools. Let’s look at how you can set criteria for success:

1. Shorten time to release

Suppose the new tools are easy to integrate. In that case, you can also expect this to improve the product development process by releasing frequently and with more confidence that they handle the possible security risks.

2. Reduce time of vulnerabilities going undetected as part of the continuous improvement

Adding security automation to check production for security bugs continuously should improve the efficiency of detection. Besides automation, the update frequency of the appsec test library can also impact this, and products range from populating within a week or as fast as 15-minutes of receiving the active hacker research. You will be able to remove these issues before they are exploited. Don’t be that one that finds out 208 days later.

3. Less time spent on fixing security bugs

Over time, your new appsec tool should also improve the amount of time spent on remediating the risk. You can also choose to compare how much time is spent on significant rollbacks vs. iterative fixes.

4. Lower false-positive count

Time wasted is money and energy wasted too. Reducing the false-positive count will give you back some of that time. One way to evaluate false positives is to look at how the testing is executed. Is it signature-based testing or payload-based testing?

The latter will give you under 1% false positives because the methodology attempts to verify the vulnerability through controlled exploitation. You can get this by collaborating with hackers to simulate attacks with working payloads.

5. Reducing abandonware and shadow IT

The most successful hackers look where others aren’t looking, and often that’s the forgotten websites. This is a straightforward way to measure if the security tool is doing its job to help you take inventory of all that you own, make sure it’s still under your control.

6. Lastly, do you feel more prepared to meet attackers at the frontline with this new tool?

You won’t be able to completely eliminate all the threats, but your tools should help you get ahead. Not everything is black magic, and the right combination of appsec tools will help you see what attackers see and anticipate the sequence of attacks coming your way, and harden your builds and 3rd party software as you go.

But wait… Reality check for the CISOs

Are you team compliance or team security? We get it that as a security officer, you are expected to do both. When you put on the business lenses, you’ll be asked to prove how your curated tools and security program is scalable and contributes to go-to-market speed.

Some control questions to ask yourself:

  1. How did I reduce risk from outsider and insider threats?
  2. How did I resolve critical vulnerabilities to reduce the attack surface?
  3. How did I enable new growth opportunities for the business? 
  4. Did I speed up the product to market?
  5. Did I remove blockers for development teams?
  6. How did I improve the security engagement of tech teams?

CISO Checklist for appsec

Remember there is no silver bullet

Too bad there still is no silver bullet for appsec just yet, but you can still curate the right tools to build up a reliable security program that begins at your web frontlines. 

You know you’ll have the right combination once you can see what a hacker sees, know what they know, and even hack what they hack. That way, your business is in a better position to stay resilient and prosperous against persistent attacks.

How can Detectify help?

Detectify helps tech leaders run continuous appsec security at speed and scale. Detectify collaborates with ethical hackers to source the latest security research from hacker-to-scanner in as fast as 15 minutes, and delivers reliable payload-based testing to customers. This means verified results and clearer visibility with less noise and appsec that will help the business go-to-market safer. See the difference for yourself with a free 2-week trial. Sign up today.