Testing web security: why automated tools can be insufficient

For many companies, every minute that a website is down is a huge financial loss. Corporate web applications are business tools, especially in the case of ecommerce, and often store valuable information inside them, such as customer billing data or business information.

It should, therefore, come as no surprise that malicious actors have long been conducting ransomware campaigns or distributed denial-of-service attacks against this class of corporate assets. Business continuity and the leakage of private data are at stake.

What can companies do to test the security of their websites and prevent incidents? Perform web security audits to identify weaknesses that could jeopardize their operability and the information they work with on a daily basis.

Are there automated tools to perform web security audits? Can this kind of cybersecurity service be fully automated? Do these tools have limitations? Can they take into account information flows or business logic?

1. SAST, DAST, IAST… Automated tools are important in the continuous search for vulnerabilities

Automation is critical in the field of cybersecurity. Without the development of automated tools, it would be impossible for cybersecurity professionals to detect vulnerabilities and security incidents on a continuous basis.

Today, there is a wide range of solutions such as vulnerability scanners or tools that enable essential tests to be carried out when testing a website:

• Static analysis of source code (SAST). The objective of this type of testing is to automatically analyze the source code of a web application to detect possible deficiencies in it.
• Dynamic Application Security Testing (DAST). This set of tests is used to look for vulnerabilities in web applications during runtime.
• Interactive Application Security Testing (IAST). This type of testing hybridizes the two previous ones. In such a way that the automated tools used to perform IAST analyze the source code of a web application while it is running.
• Software composition analysis (SCA). In this case, the objective is to identify open-source components used on websites and look for vulnerabilities and weaknesses in them that malicious actors can exploit.

The security tests we have just described are critical when it comes to continuously monitoring a website, detecting threats and vulnerabilities early on and providing information to cybersecurity specialists to optimize a website’s defense mechanisms.

2. How can you know which automated tools for evaluating web security are optimal?

The OWASP Foundation, a global benchmark in the development of methodologies and guides in the field of cybersecurity, has designed the OWASP Benchmark, a tool for evaluating automated solutions for SAST, DAST or IAST.

Thus, OWASP Benchmark is an open-source web application that allows one to measure the accuracy, coverage and speed of automated vulnerability detection tools and compare them to decide which ones are best suited to the characteristics of a website and the needs and objectives of a company.

How does OWASP Benchmark work? In essence, a series of automated tests are carried out to check whether the evaluated solution:

• Optimally identifies a real vulnerability present on a website.
• Is not able to locate a real vulnerability.
• It does not generate a false alarm for a vulnerability that is not real.
• It picks up a false positive, alerting about a security problem that does not exist.

From the results obtained in these four parameters, a score can be obtained to represent the results of the analysis graphically. This tool can be used to evaluate dozens of SAST, DAST and IAST solutions, both open-source and commercial.

3. Why is human talent necessary to test the security of a website?

So, if there are multiple automated tools to perform web application security tests… is it not necessary to entrust a web security audit to specialized professionals?

Automated tools are a great help, as we pointed out earlier, but they have their shortcomings and limitations:

• Can generate false positives that affect the daily operations of companies and hinder the work of protecting their assets.
• Have shortcomings when it comes to detecting more complex vulnerabilities.
• Find it extremely difficult to find unknown or zero-day vulnerabilities that may affect a website or any of its components.
• Do not take into account the business logic of the web applications they analyze when tracking vulnerabilities.
• They are also unable to consider the information flows managed by interrelated web functionalities.

4. What are the benefits of performing web security audits throughout the software lifecycle?

For all these reasons, companies need to subject their web applications to periodic security audits designed and implemented by cybersecurity specialists. These professionals, in addition to using automated tools to carry out security tests such as SAST, DAST, IAST or SCA, implement specific techniques that make it possible to:

• Identify vulnerabilities present in the configuration or infrastructure of web servers.
• Verify multiple types of injections and advanced techniques that malicious actors can carry out on entry points.
• Design specific security tests according to the different types of web assets and technologies of a company: ecommerce, APIs, PSD2, CMS, CRM, etc.
• Analyze third-party software and frameworks to detect vulnerabilities and prevent software supply chain attacks.
• Perform specific tests that consider the information flows managed by all web functionalities that are interrelated to find vulnerabilities that automated tools cannot detect.
• Identify vulnerabilities that are closely related to the business logic of the web application and that automated security testing tools cannot detect.

Conclusion: Automated tools alone are not enough

In short, corporate web applications are assets of enormous value for companies and one of the main entry points for malicious actors to enter a company’s systems.

Therefore, it is essential to perform web security audits on an ongoing basis, combining the use of automated DAST, SAST or IAST tools with the design of specific tests to detect complex vulnerabilities that affect all kinds of web assets.

Combining cutting-edge technology with the knowledge accumulated by the best professionals is the best formula for finding and mitigating vulnerabilities before they are successfully exploited. If you want to know more, visit our web security audit service section.