In a perfect world, you would have the time and the money needed to test all of your software for security flaws. From websites to enterprise applications to the cloud and everything in between, you would know exactly where things stand at Layer 7. Unfortunately, we live in an imperfect world where you must do what you can with what you have.
The pressure to scrutinize the application environment and do comprehensive web application security testing comes from every angle, as there are internal security standards and policies that must be met, as well as business partner and customer demands and compliance with PCI DSS, HIPAA and GDPR.
Every application can't be tested all the time, nor can you test a subset of applications for all possible security issues. So, where do you start and how do you maintain your pace of web application security testing? Here are some considerations to ensure that the right areas are addressed and that all other applications are eventually tested.
At a high-level, approaching your application testing via the 80/20 rule -- the Pareto principle -- can help you find your focal points. Find the 20% of your applications that represent 80% of the criticality or importance to the organization.
You're likely already doing this, even if only indirectly via third-party requirements, and you'll want to maintain all testing at this level. Be it monthly, quarterly or after significant updates, nothing really changes here. Just make sure you're looking at all of your most important applications because overlooking even one core system could jeopardize the enterprise.
Further scrutinizing each application, you'll want to test the systems that process -- or facilitate the processing of -- sensitive information, such as credit card numbers, Social Security numbers and intellectual property that you can't afford to expose. These are applications that face the internet, run on your internal network or are out in the cloud.
It is likely that the web services associated with these critical applications are also a top priority. Unfortunately, these systems are often overlooked, as they're assumed to just be endpoints. However, as I've discovered over the years, these simple services can have complex security flaws.
Looking down your priority list, you may have web systems that are not perceived as being valuable, but which are critical to the business nonetheless. This might include marketing websites and their associated content management systems, as well as smaller applications that provide ancillary services that are not necessarily core components of the business.
One thing you need to keep in mind, especially in the context of these applications, is the reality that they may be hosted elsewhere and, therefore, may not be properly tested. It's easy to assume that the third-party developer or hosting company is testing these environments, but that's rarely the case.
Toward the bottom of your priority list, you'll likely find web interfaces on network infrastructure systems, such as firewalls, switches, wireless access points, storage systems and the like -- the systems present on your internal network. These systems, which are often rife with basic vulnerabilities such as default passwords and missing patches, fall outside the scope of security monitoring and alerting and need to be tested.
Lastly, application development, testing and staging environments are often completely off everyone's radar except for the developers and the QA professionals utilizing them. The real challenge with these applications is that they're rarely maintained, are not properly overseen and, worst of all, house production data that can be exposed to internal threats and, depending on the setup, the entire internet.
While there is not a state of application security testing perfection, the obstacles you face with enterprise security can still address this issue so that you're not continuously facing strong headwinds and making little progress -- focus on the tasks with the highest payoff and work your way down.
Once you establish a streamlined web application security testing program, you can test the applications that are lesser-known or that are of lesser importance. Don't be afraid to pull out a good old-fashioned port scanner and scan your network and cloud environments for common web application ports, such as TCP ports 80, 443 and 8080.
As with all things security related, it's not about mastery, but about being reasonable and eventually touching everything. This mindset is the only way to set yourself and your business up for success while maintaining a defensible approach to information protection.