Web application penetration testing is one of the most critical components of your information security program. The exploitation of a web-related vulnerability could result in a massive breach, so web security must be front and center in any organization. However, I often see people sweep web security under the rug and fail to follow through on their findings.

Many organizations are performing web vulnerability penetration testing to examine their critical business systems, marketing websites, content management systems and all the important stuff in between. These tests are often performed by third parties, but internal security teams sometimes do their own scanning and spot checks. However, when it comes time to report on the results and fix the flaws that were uncovered, these findings often end up at the bottom of the security priority list or, worse, never addressed at all.

A False Sense of Security

I’m pretty sure none of this negligence is intentional. Stuff happens in IT and security. Time passes and some things inevitably end up getting overlooked. Business leaders often assume that all is well with security as long as efforts are exerted and money is spent. However, web flaws often result from misdirected priorities. It takes effort to roll out new data loss prevention (DLP) or security information and event management (SIEM) projects to show value and justify those expenditures. Meanwhile, more important tasks fall by the wayside.

Web security negligence could even be the result of development or project managers making shortsighted decisions to deploy new features quickly. Security fixes often get nixed because IT teams believe they must set up complex testing environments or overcome other unnecessary barriers to see things through. It could even be a case of management simply not providing proper financial or political support because they don’t fully understand the business risks associated with web flaws.

Involving Customers in the Web Application Penetration Testing Discussion

So what is the solution? Obviously, the issues I mentioned above need to be addressed. Still, you can’t fix all web security issues across all applications immediately. Most fixes take time and money, and some can’t be done at all due to customer requirements or lack of vendor support.

One potential solution is to get customers, business partners and others involved in the web security discussion. Critical web applications typically only involve a small number of customers or business partners. If you get them, or at least a subset of them, involved in the findings of your security testing, you can ensure that the right people are on board and maintain a level of accountability in the process.

Many executives, including chief information security officers (CISOs), would shrug this off. But there’s a great opportunity here, since these third parties are likely to see the results of your vulnerability and penetration testing anyway. Furthermore, it can be a better alternative to allowing customers to perform their own testing.

Don’t Go Through the Motions

Unless and until you completely follow through on the things that matter in web security, you’re just going through the motions, checking those boxes and perpetuating a false sense of security. If you take this proactive approach, you can have discussions with customers and business partners in an open forum.

I’ve seen certain clients take this approach to security testing and remediation, and it really does work. Why not give it a try and build it into your core security program over the long term? Ignoring your web security assessment findings is never a good strategy. After all, one of the riskiest things you can ever do is overlook a truly critical web security vulnerability.

Read the interactive white paper: Preempt attacks with programmatic and active testing

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today