September 20, 2017 By Kevin Beaver 3 min read


Web application penetration testing is one of the most critical components of your information security program. The exploitation of a web-related vulnerability could result in a massive breach, so web security must be front and center in any organization. However, I often see people sweep web security under the rug and fail to follow through on their findings.

Many organizations are performing web vulnerability penetration testing to examine their critical business systems, marketing websites, content management systems and all the important stuff in between. These tests are often performed by third parties, but internal security teams sometimes do their own scanning and spot checks. However, when it comes time to report on the results and fix the flaws that were uncovered, these findings often end up at the bottom of the security priority list or, worse, never addressed at all.

A False Sense of Security

I’m pretty sure none of this negligence is intentional. Stuff happens in IT and security. Time passes and some things inevitably end up getting overlooked. Business leaders often assume that all is well with security as long as efforts are exerted and money is spent. However, web flaws often result from misdirected priorities. It takes effort to roll out new data loss prevention (DLP) or security information and event management (SIEM) projects to show value and justify those expenditures. Meanwhile, more important tasks fall by the wayside.

Web security negligence could even be the result of development or project managers making shortsighted decisions to deploy new features quickly. Security fixes often get nixed because IT teams believe they must set up complex testing environments or overcome other unnecessary barriers to see things through. It could even be a case of management simply not providing proper financial or political support because they don’t fully understand the business risks associated with web flaws.

Involving Customers in the Web Application Penetration Testing Discussion

So what is the solution? Obviously, the issues I mentioned above need to be addressed. Still, you can’t fix all web security issues across all applications immediately. Most fixes take time and money, and some can’t be done at all due to customer requirements or lack of vendor support.

One potential solution is to get customers, business partners and others involved in the web security discussion. Critical web applications typically only involve a small number of customers or business partners. If you get them, or at least a subset of them, involved in the findings of your security testing, you can ensure that the right people are on board and maintain a level of accountability in the process.

Many executives, including chief information security officers (CISOs), would shrug this off. But there’s a great opportunity here, since these third parties are likely to see the results of your vulnerability and penetration testing anyway. Furthermore, it can be a better alternative to allowing customers to perform their own testing.

Don’t Go Through the Motions

Unless and until you completely follow through on the things that matter in web security, you’re just going through the motions, checking those boxes and perpetuating a false sense of security. If you take this proactive approach, you can have discussions with customers and business partners in an open forum.

I’ve seen certain clients take this approach to security testing and remediation, and it really does work. Why not give it a try and build it into your core security program over the long term? Ignoring your web security assessment findings is never a good strategy. After all, one of the riskiest things you can ever do is overlook a truly critical web security vulnerability.

Read the interactive white paper: Preempt attacks with programmatic and active testing

More from Application Security

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today