CYBERSEC 2021 uses cookies to provide you with the best user experience possible. By continuing to use this site, you agree to the terms in our Privacy Policy. I Agree

May 4-6 at Taipei Nangang Exhibition Center, Hall 2

Cyber Insight

Why you should be Concerned about Web Security

In our advertisements, you can often read that 70 percent of websites are hackable. The sad truth is, however, that every website and web application can be hacked, given enough time and resources.

Hackers are on the lookout for vulnerabilities in your web applications: Shopping carts, forms, login pages, dynamic content are easy targets. Firewalls, SSL and lock-down servers are futile against web application hacking. 

While web attacks are not the only type of attacks that may lead to a security compromise, they are one of the most common types along with all forms of social engineering (including phishing) and malware. These types are often also used in conjunction. However, despite the importance of web application security, a lot of businesses still struggle with maintaining it. Here are our recommendations on how to achieve the best security levels:

★Use heuristic detection.

If you only use signature-based detection systems, you are protecting your assets only against script-kiddies. Professional black-hat hackers rely on finding web application vulnerabilities that can only be discovered using a heuristic web vulnerability scanner, such as Acunetix, or manual penetration testing.

★Prioritize web security over network security. 

You should realize that there have been very few major breaches in the past years that were due to network security issues, such as the ones associated with SSL/TLS errors. On the other hand, there were quite a few major breaches caused by web security issues from the OWASP Top-10 list such as SQL Injection attacks, Cross-site Scripting (XSS), CSRF, web server and container misconfiguration, etc.

★Eliminate the source of the problem. 

If you feel that web application firewall is enough to protect your assets, you should realize that WAF rules can often be circumvented using malicious code and well-crafted user input. By using a WAF with no other measures, you are not eliminating the source of the problem but only applying a temporary band-aid.

Many have argued that you cannot rely on tools alone to find all security vulnerabilities. This is absolutely correct. In all but the most basic security checks, you have to rely on experience and technical knowledge to root out the less-than-obvious vulnerabilities that blackbox scanners simply cannot find. That said manual testing alone is just too time consuming, limited and, for many, downright difficult. A good balance of tools and manual analysis is needed.

The major issue here is that selecting ineffective security testing tools can be a costly venture. I’ve burned thousands of dollars and countless hours on tools that seemed like a good fit based on their tricked out websites and fancy marketing slicks. Talk is cheap so buyer beware. You have to take these tools for a spin to see if they’re going to be a good fit based on YOUR style inside YOUR environment, and based on YOUR business needs.

Whether you’re doing the actual work or just want to make sure your IT and security staff members are using what’s best for the organization, the simple truth is that good security audit tools can and will make a difference. Always remember that there is no one best tool but if you’re smart about your approach you shouldn’t have to spend a lot of money getting the job done right. If you invest a relatively small amount time researching, asking prospective vendors tough questions and actually trying the tools before you buy them, then you can’t lose.

When you choose and use good tools, you’ll know it. Amazingly, you’ll minimize your time and effort installing them, running your tests, reporting your results – everything from start to finish. Most importantly, with a good web vulnerability scanner you’ll be able to maximize the number of legitimate vulnerabilities discovered to help reducing the risks associated with your information systems. At the end of the day and over the long haul, this will add up to considerable business value you can’t afford to overlook.

Acunetix is not just a web vulnerability scanner. It is a complete web application security testing solution that can be used both standalone and as part of complex environments. It offers built-in vulnerability assessment and vulnerability management, as well as many options for integration with market-leading software development tools. By making Acunetix one of your security measures, you can significantly increase your cybersecurity stance and eliminate many security risks at a low resource cost.

“Automate and Integrate Your Vulnerability Management”

To save resources, ease remediation, and avoid late patching, enterprises often aim to include web vulnerability tests as part of their SecDevOps processes. Acunetix is one of the best DAST tools for such a purpose due to its efficiency in both physical and virtual environments.

Acunetix integrations are designed to be easy. For example, you can integrate Acunetix scans in your CI/CD pipeline with tools such as Jenkins in just a few steps.

For effective vulnerability management, you can also use third-party issue trackers such as Jira, GitLab, GitHub, TFS, Bugzilla, and Mantis. For some issue trackers, Acunetix also offers two-way integration, where the issue tracker may automatically trigger additional scans depending on the issue state.