Web application penetration testing is one of the most critical components of your information security program. The exploitation of a web-related vulnerability could result in a massive breach, so web security must be front and center in any organization. However, I often see people sweep web security under the rug and fail to follow through on their findings.

Many organizations are performing web vulnerability penetration testing to examine their critical business systems, marketing websites, content management systems and all the important stuff in between. These tests are often performed by third parties, but internal security teams sometimes do their own scanning and spot checks. However, when it comes time to report on the results and fix the flaws that were uncovered, these findings often end up at the bottom of the security priority list or, worse, never addressed at all.

A False Sense of Security

I’m pretty sure none of this negligence is intentional. Stuff happens in IT and security. Time passes and some things inevitably end up getting overlooked. Business leaders often assume that all is well with security as long as efforts are exerted and money is spent. However, web flaws often result from misdirected priorities. It takes effort to roll out new data loss prevention (DLP) or security information and event management (SIEM) projects to show value and justify those expenditures. Meanwhile, more important tasks fall by the wayside.

Web security negligence could even be the result of development or project managers making shortsighted decisions to deploy new features quickly. Security fixes often get nixed because IT teams believe they must set up complex testing environments or overcome other unnecessary barriers to see things through. It could even be a case of management simply not providing proper financial or political support because they don’t fully understand the business risks associated with web flaws.

Involving Customers in the Web Application Penetration Testing Discussion

So what is the solution? Obviously, the issues I mentioned above need to be addressed. Still, you can’t fix all web security issues across all applications immediately. Most fixes take time and money, and some can’t be done at all due to customer requirements or lack of vendor support.

One potential solution is to get customers, business partners and others involved in the web security discussion. Critical web applications typically only involve a small number of customers or business partners. If you get them, or at least a subset of them, involved in the findings of your security testing, you can ensure that the right people are on board and maintain a level of accountability in the process.

Many executives, including chief information security officers (CISOs), would shrug this off. But there’s a great opportunity here, since these third parties are likely to see the results of your vulnerability and penetration testing anyway. Furthermore, it can be a better alternative to allowing customers to perform their own testing.

Don’t Go Through the Motions

Unless and until you completely follow through on the things that matter in web security, you’re just going through the motions, checking those boxes and perpetuating a false sense of security. If you take this proactive approach, you can have discussions with customers and business partners in an open forum.

I’ve seen certain clients take this approach to security testing and remediation, and it really does work. Why not give it a try and build it into your core security program over the long term? Ignoring your web security assessment findings is never a good strategy. After all, one of the riskiest things you can ever do is overlook a truly critical web security vulnerability.

Read the interactive white paper: Preempt attacks with programmatic and active testing

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…