Web application penetration testing is one of the most critical components of your information security program. The exploitation of a web-related vulnerability could result in a massive breach, so web security must be front and center in any organization. However, I often see people sweep web security under the rug and fail to follow through on their findings.

Many organizations are performing web vulnerability penetration testing to examine their critical business systems, marketing websites, content management systems and all the important stuff in between. These tests are often performed by third parties, but internal security teams sometimes do their own scanning and spot checks. However, when it comes time to report on the results and fix the flaws that were uncovered, these findings often end up at the bottom of the security priority list or, worse, never addressed at all.

A False Sense of Security

I’m pretty sure none of this negligence is intentional. Stuff happens in IT and security. Time passes and some things inevitably end up getting overlooked. Business leaders often assume that all is well with security as long as efforts are exerted and money is spent. However, web flaws often result from misdirected priorities. It takes effort to roll out new data loss prevention (DLP) or security information and event management (SIEM) projects to show value and justify those expenditures. Meanwhile, more important tasks fall by the wayside.

Web security negligence could even be the result of development or project managers making shortsighted decisions to deploy new features quickly. Security fixes often get nixed because IT teams believe they must set up complex testing environments or overcome other unnecessary barriers to see things through. It could even be a case of management simply not providing proper financial or political support because they don’t fully understand the business risks associated with web flaws.

Involving Customers in the Web Application Penetration Testing Discussion

So what is the solution? Obviously, the issues I mentioned above need to be addressed. Still, you can’t fix all web security issues across all applications immediately. Most fixes take time and money, and some can’t be done at all due to customer requirements or lack of vendor support.

One potential solution is to get customers, business partners and others involved in the web security discussion. Critical web applications typically only involve a small number of customers or business partners. If you get them, or at least a subset of them, involved in the findings of your security testing, you can ensure that the right people are on board and maintain a level of accountability in the process.

Many executives, including chief information security officers (CISOs), would shrug this off. But there’s a great opportunity here, since these third parties are likely to see the results of your vulnerability and penetration testing anyway. Furthermore, it can be a better alternative to allowing customers to perform their own testing.

Don’t Go Through the Motions

Unless and until you completely follow through on the things that matter in web security, you’re just going through the motions, checking those boxes and perpetuating a false sense of security. If you take this proactive approach, you can have discussions with customers and business partners in an open forum.

I’ve seen certain clients take this approach to security testing and remediation, and it really does work. Why not give it a try and build it into your core security program over the long term? Ignoring your web security assessment findings is never a good strategy. After all, one of the riskiest things you can ever do is overlook a truly critical web security vulnerability.

Read the interactive white paper: Preempt attacks with programmatic and active testing

More from Application Security

Does Follina Mean It’s Time to Abandon Microsoft Office?

As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m not introducing risk to my clients. Still, using Microsoft Office was something I did many times a day without a second thought. I brought up…

3 Reasons Why Technology Integration Matters

As John Donne once wrote, “No man is an island entire of itself.” With digitalization bridging any distance, the same logic could be applied to tech. Threat actors have vast underground forums for sharing their intelligence, while security professionals remain tight-lipped in a lot of data breach cases. Much like the way a vaccine can help stop the spread of infectious diseases, sharing threat intelligence and defense strategies can help to establish a more secure future for everyone.  So what…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory. SCM systems are used in the majority of organizations to manage source code and integrate with other systems within the…