Security testing may seem like a no-brainer, almost a necessity, for most cyber professionals. But in reality, that's far from the truth. Despite hundreds of web applications and APIs exposed to the attack surface, many assets remain dangerously untested and vulnerable to cyberattacks. As AI becomes more prevalent, this number will only increase.
Our team recently surveyed over 100 cybersecurity professionals in the UK, who clearly stated that threats to web applications are a major concern. However, most security teams only test these applications once a month, leaving a significant portion of applications vulnerable and highlighting serious gaps in cybersecurity programs.
So why can’t we test it properly?
The attack surface is a constantly moving target. As organizations expand their technology stack and integrate with other customer and partner systems, the attack surface shifts. But over the long term, it only grows in size, making it difficult to keep up.
The same group of UK cyber experts revealed that organizations are struggling to keep up with the sheer volume and dynamic nature of web applications. In fact, 54.2% of respondents admitted that the number of web applications in their environment was too high to adequately test.
Other major barriers include the number of APIs tested and the time required to test each web application, cited by 59.8% and 55.1% of respondents, respectively.
The survey also revealed a shocking fact: These organizations experience significant web application-related security events every quarter, which can take up to eight hours to remediate.
So where does the testing take place?
Organizations use a variety of methods, including dynamic application security testing, interactive application security testing, and penetration testing, to identify vulnerabilities, misconfigurations, and other weaknesses in their web applications.
However, more than a quarter of surveyed respondents admitted to not having a formal process for testing the security of their web applications, and almost half said they rarely use security testing tools or methods to find vulnerabilities in their web applications.
Reasons for infrequent testing and limited coverage include:
- Too many apps and APIs: The number of applications and APIs that organizations require is growing exponentially.
- Not enough time: Time constraints do not allow for thorough and frequent testing.
- Frequent app updates and changes: As applications are frequently updated and modified, it becomes difficult to maintain a consistent testing schedule.
- Shortage of manpower: There is a shortage of skilled personnel to carry out widespread testing.
- Budget Limit: Financial constraints limit the ability to invest in comprehensive testing tools and resources.
Time and resource constraints aside, improving the frequency and effectiveness of testing and applying automation should be considered non-negotiable. Some best practices include:
- Continuous monitoring: Continuous visibility into the attack surface allows organizations to be proactive and drive effective remediation efforts. Continuous monitoring identifies vulnerabilities early and reduces the chances of a successful attack.
- Production Test: Testing in a production environment, rather than in a sandbox or offline, ensures that all elements that affect your web application are taken into account: databases, open source libraries, authentication mechanisms, etc. This approach provides a more accurate picture of potential vulnerabilities and their impact.
- Invest in DevSecOps: To accelerate development cycles and improve time to market, organizations have invested in DevOps software to ship code faster. But they haven't invested in security software (DevSecOps). Building security into the DevOps pipeline is essential to ensure that rapid development doesn't come with security breaches.
Please stand down
The key message here is that today, our organizations are increasingly at risk and existing testing methods are insufficient to protect our environments.
Automated testing methods are not required, and a quicker move can result in more comprehensive coverage, faster identification of vulnerabilities, and a quicker remediation process.
You can streamline labor-intensive manual processes by continuously or frequently testing all web apps and related APIs in your environment, pinpointing risks, and filtering out low-priority issues and events.
Automated testing is expected to improve an organization's security posture and reduce the burden on the overall security team.
Graham Lance, Vice President of Global Presales, Psychognite
