Web application vulnerabilities are a top target for cyber criminals. Websites, applications, servers and supporting infrastructure are exposed to the internet via web applications and thus are under constant attack. Many organizations perform network vulnerability scans on internet facing networks and systems, but often ignore web applications. The tests included in the network vulnerability scans generally do not test web applications and certainly do not perform deep vulnerability testing inside the application.
Manual testing by a skilled cyber assessor is the best approach to test the security of web applications. A skilled human can identify and react to nuances in the performance, results and behaviors of a web application that may be missed by automated scanners.
Does every web application need to be tested? Ideally, yes. Realistically, at least internet accessible applications with critical or sensitive data need testing. Custom developed and organization hosted applications are a higher priority than informational sites. If you rely on Software-as-a-Service (SaaS or outsourced) applications, you should request reporting on the web application security testing the SaaS performs.
Web application security testing planning stages are:
Once the baseline information about risks and requirements has been established, identify the web applications with testing requirements and prioritize them as part of the annual assessment efforts.
If you have questions or need assistance, please contact one of RubinBrown’s Cyber Security Services Group professionals.
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.