Web application penetration testing is one of the most critical components of your information security program. The exploitation of a web-related vulnerability could result in a massive breach, so web security must be front and center in any organization. However, I often see people sweep web security under the rug and fail to follow through on their findings.
Many organizations are performing web vulnerability penetration testing to examine their critical business systems, marketing websites, content management systems and all the important stuff in between. These tests are often performed by third parties, but internal security teams sometimes do their own scanning and spot checks. However, when it comes time to report on the results and fix the flaws that were uncovered, these findings often end up at the bottom of the security priority list or, worse, never addressed at all.
A False Sense of Security
I’m pretty sure none of this negligence is intentional. Stuff happens in IT and security. Time passes and some things inevitably end up getting overlooked. Business leaders often assume that all is well with security as long as efforts are exerted and money is spent. However, web flaws often result from misdirected priorities. It takes effort to roll out new data loss prevention (DLP) or security information and event management (SIEM) projects to show value and justify those expenditures. Meanwhile, more important tasks fall by the wayside.
Web security negligence could even be the result of development or project managers making shortsighted decisions to deploy new features quickly. Security fixes often get nixed because IT teams believe they must set up complex testing environments or overcome other unnecessary barriers to see things through. It could even be a case of management simply not providing proper financial or political support because they don’t fully understand the business risks associated with web flaws.
Involving Customers in the Web Application Penetration Testing Discussion
So what is the solution? Obviously, the issues I mentioned above need to be addressed. Still, you can’t fix all web security issues across all applications immediately. Most fixes take time and money, and some can’t be done at all due to customer requirements or lack of vendor support.
One potential solution is to get customers, business partners and others involved in the web security discussion. Critical web applications typically only involve a small number of customers or business partners. If you get them, or at least a subset of them, involved in the findings of your security testing, you can ensure that the right people are on board and maintain a level of accountability in the process.
Many executives, including chief information security officers (CISOs), would shrug this off. But there’s a great opportunity here, since these third parties are likely to see the results of your vulnerability and penetration testing anyway. Furthermore, it can be a better alternative to allowing customers to perform their own testing.
Don’t Go Through the Motions
Unless and until you completely follow through on the things that matter in web security, you’re just going through the motions, checking those boxes and perpetuating a false sense of security. If you take this proactive approach, you can have discussions with customers and business partners in an open forum.
I’ve seen certain clients take this approach to security testing and remediation, and it really does work. Why not give it a try and build it into your core security program over the long term? Ignoring your web security assessment findings is never a good strategy. After all, one of the riskiest things you can ever do is overlook a truly critical web security vulnerability.