Web Applications and Websites Exist in a Dynamic Environment
There is no questioning the fact that the web application security landscape is in a constant state of flux. The pace of change is not only rapid but resembles a constant game of cat and mouse between hackers and security professionals.
Any business or entity who maintains an internet presence is at risk of being hacked. It doesn’t matter whether you have a simple information based website designed to promote your business or a web application that handles customer data or complex financial transactions — your presence alone creates an inherent risk.
One of the most effective ways to mitigate your risk is by being proactive not only throughout the development phase but also once your website or application goes live.
Determining how often should you be scanning your web applications for vulnerabilities during the development phase and post-deployment is not as easy as you might imagine. While it would be nice to propose a one-size-fits-all solution, it’s just not possible. Each situation needs to be looked at independently. You need to make an assessment based upon the individual risk factors associated with your website or web application.
Coding performed by humans is subject to security vulnerabilities — this will never change. The simple fact of the matter is that people make mistakes. As websites and applications become more complicated, it becomes increasingly important to check for vulnerabilities at regular intervals.
Much like a house requires a strong foundation, so does a website or web application. Anything built on a weak foundation is at risk of needing to be torn down and rebuilt.
Ideally, any web application or website under development should be manually reviewed and scanned with an automated tool at regular intervals. This work should be performed by both developers and pen-testers.
The exact frequency should depend on your particular situation. A good rule of thumb is to make sure you do not build a new layer on top of one that might contain vulnerabilities. You should be scanning at each critical juncture in the development process, just as you wouldn’t build a second floor on top of a first floor that was structurally unsound.
Just because your coding practices are sound and were consistently reviewed during the development phase, does not mean you’re out of the woods. As soon as your website or web application has been deployed, it’s a good idea to determine an ideal frequency of scanning. Deciding on an appropriate frequency requires that you give consideration to a variety of factors including:
- Technological Change - The pace of technological change is rapid. As a result, websites and applications frequently introduce new functionality. An example would be the introduction of WordPress REST API (which so far has proven to be secure). Anytime there is a change, reevaluation is a good idea.
- Increased Application Functionality - As users demand increased functionality from web applications, developers are faced with a naturally increasing attack surface. It presents a real catch-22 because the end user sees your website as providing more value, but that same value unknowingly causes a corresponding increased security risk.
- Newly Discovered or Popular Vulnerabilities - Hackers will continue to find new ways to exploit vulnerabilities and take advantage of end users. Their strategies change and adapt as required. For example, ransomware has seen a surge in popularity in recent years.
All three of these situations (technological change, increases functionality, and new vulnerabilities), result in a need to frequently scan your website in an effort to stay one step ahead of hackers.
As a general rule, the more functionality your website provides, and the more interaction there is between your web application and the end user, the more frequently you should consider scanning.
It’s also important to consider whether your web application gathers sensitive user information or performs financial transactions. Both of those scenarios would indicate a need for more frequent scanning.
At the same time, don’t forget that while mission critical web applications should receive first priority, you should still be scanning more benign websites like those responsible for marketing and promotion.
In addition to regularly scheduled vulnerability scanning, there are a few more factors to consider in regards to frequency.
Any time you update your software, whether it’s to add functionality or patch an existing vulnerability, you should perform a scan. At the same time, if there are reports of a new exploit in the wild, don’t wait until your next scheduled scan — be proactive.
The most important thing to remember is that it only takes a single web application vulnerability to cause potential untold harm to your business, or to your customers. Combine that risk with a highly dynamic environment, and you have a situation that requires a continual state of vigilance.
For a security professional, this translates into the need to perform regular vulnerability scans. It’s better to scan to frequently, than not frequently enough. The inconvenience of being proactive is less than the probable negative impact, as a result of being hacked. And the last thing you want to tell your customers was that your security procedures were too relaxed.