Application security testing: just defining it is a struggle. If you ask ten experts, you'll get ten different answers -- and they're probably all correct, which is really problematic. Generally, there are two forms. First there’s application security testing and the dynamic testing where you test it at runtime. Then you have the aesthetic analysis, where you test it during development. Just like you have a temperature thermometer and a meat thermometer. These are both ways to measure the temperature of things, but they're for two very different purposes.
When you do dynamic testing and production, what you're really measuring is the production security of the website relative to the “bad guy.” Can they hack the site or not? With aesthetic analysis, the measurement is different. Ideally, the best approach for that type of measurement is measuring how good the software is and try to rid it of the vulnerabilities before they become a production risk.
And finding vulnerabilities in application security testing is very different than exploiting them. There are people who find vulnerabilities very well, but aren’t skilled at exploitation, and then there are people that are very good at exploitation but aren’t able to find vulnerabilities. You could call it the difference between the folks who know how to run sqlmap versus the folks who know how to find SQL injection.
What's interesting is the ethos around that. It is not a one-and-done kind of thing. You find a cross-site scripting or SQL injection vulnerability, but you don't win in five minutes. It might take you an hour or two to find it, the next day or two to extract data, and maybe a week or more to pivot around. The interesting thing about the defense side is that the offense doesn't win in an instant, or even an hour.
Even if you are given root-level access on a banking server, it's going to take you a while to extract data. The defense side gets a little bit of a reprieve if they can detect the attack or even the compromise within a few hours. When they do that, they are doing quite well because they could take what would otherwise have been a very devastating scenario and make it very tolerable. Yes, the bad guy won. But detecting it quickly before any damage is done is the goal.
There are a lot of vulnerabilities out there and everyone needs something easy to wipe them out. It could be one, it could be 50% of them, or it could be all of them. It's really hard to tell, but companies need options to wipe out vulnerabilities.
When we started really looking for a solution for the remediation and vulnerability management problem at WhiteHat Security, we looked at RASP technologies because they provided easy integration, strong protection, and real-time visibility, allowing companies to neutralize vulnerabilities that are actively being exploited. There are great RASP solutions out there from a range of providers, big and small.
Everybody likes to focus on the top 10 vulnerabilities, but from my experience, I've never found a company that had a top 10 vulnerabilities problem. Every company has a different Top 10. And it's very important for each company to target and fix the vulnerabilities that are specific to each organization with a solution that can do that easily.
What we all want, at the end of the day, is to see more vulnerabilities getting fixed. We want to see the remediation climb to 70-, 80-, and 90%, and we want to see the hacks go down.