Continuous Scanning Is Imperative for Effective Web Application Security

Software moves fast. With so many Web applications and APIs being built and modified in increasingly complex IT environments, securing your attack surface — which can change hourly or multiple times a day — is a challenge. Traditional approaches to security, like one-off tests or periodic scans, are no longer enough to get the job done and done well. Attackers are zeroing in on these apps more frequently than ever; according to Verizon, 70% of security incidents in 2021 were connected to hacks targeting Web applications.

New research from Invicti Security shows positive trends on this front: Consistent, automated scanning leads to effective security that keeps up with application development. In the new Spring 2023 "Invicti AppSec Indicator" report, data from 1.7 million scans showed that enterprise organizations are ramping up their security scanning activity as they cover more Web applications and APIs than ever before. In fact, scan frequency has increased steadily since 2019, with a 50% jump per account over the last four years as more internal and external Web applications and APIs are developed and checked.

With the average cost of a data breach surpassing $4.3 million globally, skimping on security can result in expensive (and potentially disastrous) results for organizations. Keeping the bad guys out comes down to coverage, efficiency, accuracy, and frequency, all packaged up in tools that DevSecOps teams can trust. That way, organizations are improving their security posture with every scan, no matter how many apps, components, and APIs they rely on. Read on for more insights from the Spring 2023 "Invicti AppSec Indicator" to see how increasing scan frequency and improving coverage leads to better risk posture.

Implementing Broader Coverage for More Comprehensive Risk Management

Do you know exactly how many Web applications and APIs your organization has and which contain critical vulnerabilities? In addition to scanning more, you need to reach farther and wider than before in your testing. Many businesses aren't aware of the scope until they broaden their continuous discovery and scanning efforts, especially if their environments include legacy applications and open source code. Dangerous vulnerabilities could be lurking in these unchecked corners: Data from the "Invicti AppSec Indicator" report uncovers an alarming increase in remote code execution (RCE), which jumped 40% from 2021 to 2022. Each of these results could be an exploitable flaw that might've been missed without comprehensive coverage from production to staging and beyond.

Discovering and testing everything you have in development and production while also crawling every corner of each application is critical to defining and defending your entire attack surface so you can catch vulnerabilities like RCE. Dynamic application security testing (DAST) can work in tandem with static security testing (SAST), interactive security testing (IAST), and software composition analysis (SCA), providing a more comprehensive view of where these vulnerabilities are and how to fix them. By taking action and increasing the adoption of DAST tooling in the software development life cycle (SDLC), you can improve the effectiveness and outcomes of AppSec programs.

Integrating Tools Into the SDLC for Greater Efficiency and Effectiveness

Despite the jump in RCE, research from Invicti shows a 19% year-over-year decline in the number of scans with a severe vulnerability. This data point truly underscores the positive trend of increased scanning frequencies leading to a decrease in severe vulnerabilities overall, as teams can find and fix more flaws before they become major issues. That efficiency is only achievable with continuous Web application security integrated into the SDLC and DevOps workflows, enabling security, development, and operations to work together more seamlessly without slowing down production.

By integrating security tools like DAST, IAST, and SCA right into the development pipeline, teams can catch issues in development, testing, staging, and production for better risk management. Advanced DAST tools can scan at multiple stages of the SDLC, also providing the ability to scan a variety of API types for more complete coverage. When you get accurate feedback and deliver it right to developers, security processes can keep pace with automated development toolchains and CI/CD pipelines.

Boosting Confidence in Scan Results With Accurate Data

More frequent scanning isn't impactful if the results aren't accurate. Especially when approaching severe vulnerabilities, you want the information coming from your scanner to be as accurate as possible. Without that precision, it's difficult to gauge how much risk you carry daily and what you should prioritize. DAST tools with capabilities like proof-based scanning have accuracy baked in as a core feature to give developers and security professionals confidence in the results. And when there's less hesitation, security won't get in the way of innovation.

To learn more about reducing risk in your application security program, read the Spring "Invicti AppSec Indicator."

About the Author

Frank Catucci is a global application security technical leader with over 20 years of experience, designing scalable application security specific architecture, partnering with cross-functional engineering and product teams. Frank is a past OWASP Chapter President and contributor to the OWASP bug bounty initiative and most recently was the Head of Application & Product Security at Data Robot. Prior to that role, Frank was the Sr. Director of Application Security & DevSecOps and Security Researcher at Gartner, and was also the Director of Application Security for Qualys. Outside of work and hacking things, Frank and his wife maintain a family farm. He is an avid outdoors fan and loves all types of fishing, boating, water sports, hiking, camping, and especially dirt bikes and motorcycles.