Imagine a castle fortress without a drawbridge, moat, or guards to keep enemies at bay. The idea would be ludicrous back then, just as it is now.
For modern-day organizations made up of personnel, equipment, networks, and data, it’s essential to put mechanisms in place that protect these valuable assets from unwanted interference.
Web app scanners are software programs designed to do just that, “crawling” an organization’s Internet-facing website assets to identify and flag potential vulnerabilities. Importantly, the scanner does not have access to the website’s source code; instead, it simulates hacking attacks to reveal soft spots in a web application’s armor, which in turn enables the organization to plug that vulnerability before attackers try to exploit it themselves.
But the scanners have another purpose as well: discovering and cataloging an organization’s entire inventory of web assets – every website, web service, API, or application – so that nothing remains hidden, and anything later added can be tagged.
And when these scanners are absent, outdated, or simply don’t function as they should, the consequences for organizations can be steep.
According to the 2022 Verizon Data Breach Investigation Report, basic web applications were the top attack vector among the 18,000 security incidents and 3,000 known breaches the report examined, far outpacing other vectors such as email, software updates and backdoor intrusions. Once inside, hackers can steal sensitive PII – think medical data, payment card data, or even Social Security numbers – as well as intellectual property and other highly valued corporate assets. Sabotage of critical infrastructure, servers and other systems is also possible.
Clearly, traditional web app scanners are missing the mark, providing barebones protection at best while failing to discover and triage the full range of vulnerabilities common to dynamic, script-heavy web applications. There are a few reasons for this:
Effective response to the threat involves effective tools, but it also requires proper tool configuration as well as operational processes to complement functionality. With that in mind, here are some recommendations to get the most out of web app scanners.
As attackers demonstrate increasingly sophisticated tactics, it is highly recommended that organizations upgrade their web app scanning software to sustain a healthy DevSecOps environment.
By introducing an automated web app scanner that continually discovers and tests an organization’s entire inventory of web assets, organizations will be better set up to avert damaging attacks down the line.
The critical vulnerability lets an unauthenticated user execute arbitrary code on a Confluence Server or Data Center instance.
June 2 CISA alert details vulnerabilities found in certain Illumina In Vitro Diagnostic devices and Researcher Use Only (ROU) instruments that rely on Local Run Manager (LRM) software, which contain a number of high-severity vulnerabilities.
The Cybersecurity and Infrastructure Security Agency has issued a warning that 16 or more states have been leveraging Dominion Voting Systems with software flaws that could present hacking risks.
Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.