Wednesday, October 7, 2020

Should you arm your SaaS software engineers with a web app vulnerability scanner?

Table Of Contents

    Web application vulnerability scanners have been around for a long time. And they've been ignored by most software engineers for a long time.

    Isn't it strange that the very people who build amazing software completely ignore other novel software that helps them secure their creations?

    Maybe it's because software folks don't understand their options, or which option is best for them? Here's a quick video debunking the most common decision point about application vulnerability scanning tools: do I need a SAST tool or a DAST scanning tool?


    TL;DW - it's not a case of which application security tools you can pick and choose, because you will need all of them. It's more a case of how you build a culture within your software teams about how consistently they are utilising vulnerability scanning within your software development lifecycle.

    Why do software engineers not like vulnerability scanning tools?

    There are many reasons behind this, but a primary factor is likely to be software engineers' lack of acknowledgement that they are responsible for securing the code that they write. Not the testing team. Not the security team. But the software engineer herself is responsible for building secure features. 

    If you think that's a novel thought, there's a compounding problem: most software engineers don't trust application security teams and products, like vulnerability scanners. 

    Given that very few software engineers take application security papers during their university education or in their formative professional years (primarily because few universities require that they be taken?), it follows they're more focused on building cool new features and not so much on building cool AND secure new features. 

    But those blind spots lead to these problems:

    Web application vulnerability scanner for software developers


    So as a tech decision maker, when you thrust an application security assessment or a web app penetration test on your engineers, they're naturally weary of what they're going to face.

    Let's call a spade, a spade: they're afraid of being made to look bad. It's that perception of professional embarrassment that they are really dreading.

    But this sequence of facts and emotions leaves you, as a decision maker, in no-man's land. How do you deal with your engineer's emotions as well as solving your SaaS security headaches?

    To solve this conundrum, we need to dig a little deeper.

    Do software developers generally use vulnerability scanning tools?

    Generally, no. Most software developers don't think about security for web applications because they are not trained to think about application security during their development workflows.

    Software developers are trained to write code to build new features and new applications.

    So if you hand them a vulnerability scanning tool which changes the workflow that they are comfortable with, it naturally causes friction. So much friction that that that at best, they won't use the vulnerability scanning tool, and at worst, they might lost faith in your ability to manage your application security program.

    In either case, you quickly begin to see how your web application vulnerabilities go unpatched and critical vulnerabilities like SQL injection, remote code injection attacks and cross site scripting remain in your cloud platform.

    Developers' weariness stems not just from a lack of technical understanding about the application security process, but also because it's natural human nature as Harvard Business School's Michael H. Yeomans puts it in his recent study, "people are less willing to accept recommenders when they do not feel like they understand how they make recommendations.”

    The mistrust of recommendations from other seemingly learned professionals is only exceeded by humans' mistrust of technology, as Cornell's Jon Kleinberg and University of Chicago's Anuj Shah and Sendhil Mullainathan found in the paper with Yeomans, "there’s a mistrust in algorithms. People seem to view them as a cheap substitute for human judgment."

    You'll agree that the above comment is especially true of technically advanced people who often mistrust advanced technologies (not built by them), often just because they don't have the time or requisite knowledge to understand it in greater depth. 

    Cornell University's Malte Jung has studied the human-robot interactions in everyday work environments, specifically about how . He says, "human-robot interaction is not just about how you interact with technology, but how the technology affects how people interact with other people.” 

    “It’s about moving beyond this one-to-one paradigm between a single human and a single robot into a group and team context because, the fact is, people rarely work alone," says Jung. 

    And therein lies one of the big problems with application security tools robots. They are mostly designed for security testers conducting web application penetration tests, who are working alone. This setup is likely very different to the dynamics of your software engineering team, who are constantly collaborating with each other using developer tools like Jira or Github or Slack/Teams, etc. 

    Want to see how an automated pen testing tool built for software dev teams could help your software developers fix security vulnerabilities with on-demand security coaching?

    Are vulnerability scanners "developer-friendly"?

    In the case of vulnerability scanning tools, software engineers' mistrust is not solely a case of age-old human behavioural patterns. 

    As I showed you before, most application security tools were built for cybersecurity experts - the ethical hackers of the world. They were not built for software engineers.

    Most web application vulnerability scanners are not easy to set up, not easy to use and definitely do not help you patch a vulnerability unless you're willing to spend endless days scouring Google. They require tinkering with various add-ons and plugins just to run a scan. 

    When you're giving your software engineers tight deadlines and overloaded sprints, I think they can be (somewhat) forgiven for focusing on finishing their day jobs, rather than engaging in hand-to-hand combat with a vulnerability scanner just to run a vulnerability scan!

    My criticisms above are true for most of the bigger names in the vulnerability scanning field. That's why we built our own vulnerability scanner for software developers and automated penetration testing tool.

    Software teams really appreciate that Cyber Chief is frictionless and user-friendly, allowing them to concentrate on building great applications.

    Can a web vulnerability scanner also help with web application security?

    Not always. Some web vulnerability scanner tools are built just to find security threats on static websites. Unfortunately, these tools won't help you conduct deep-dive software security reviews on your web apps and APIs.

    The key capabilities of web application vulnerability scanning tools that set them apart from their simpler web vulnerability scanner tools include:

    • Authenticated vulnerabilty scanning which allows them to perform application security testing behind web applications' login page.
    • Web services or API vulnerability scanning which allows the web application scanning tool to help you secure the APIs that help your software communicate with its backend or other external services.
    • Advanced reporting capabilities and integrations with other tools in your software development stack, like Jira, so that your developers can find and fix their own vulnerabilities without being completely reliant on external penetration testers.

    Finding application vulnerabilities behind the login is a must-have feature because we know that the attack surface that will produce the most critical vulnerabilities is behind your login.

    Web application vulnerability scanner


    So while your web app vulnerability scanner may also help you secure your static public website, the reverse is not always true.

    It pays to do your research before you invest in application security testing tool that's fit-for-purpose for your needs.

    What makes the Cyber Chief web application scanner tool "frictionless"?

    Cyber Chief is a dynamic application security testing tool. It doesn't care about your code base. Instead it performs security testing on your web app using browsers - the same approach that hackers use to find attack vectors.

    A client who recently switched to Cyber Chief from a different vulnerability scanner put it this way: using the other tool was like driving on a highway full of potholes. Even when they get filled, the potholes come back after the next heavy rain.

    Cyber Chief, on the other hand, is like driving on a newly laid highway. It's smooth, the car makes less noise and I can get where I'm going at good speed.

    But, how does Cyber Chief achieve this, you ask? With a few key features, among others:

    • Easy integrations with your DevOps deployment pipelines so that your team never has to login to Cyber Chief to run a vulnerability scan.
    • Run deep, authenticated scans behind your app login without having to configure hundreds of different plugins
    • Best practice software security vulnerability resolutions so your developers don't have to waste days looking for a fix on Google
    • A knowledge repository of how web application vulnerabilities were patched in your environemnt so that your developers don't have to reinvent the wheel when tha vulnerability reoccurs
    Would you like my team to coach your dev team on how to fix vulnerabilities so that you can maximise your ROI from your AppSec investments?

    Does your software engineering team need a web application vulnerability scanner?

    The answer is yes, if you answer yes to any of these questions:

    • Is your software constantly enhanced or worked to improve it or add new features?
    • Do you have cloud software penetration tests performed on your software? 
    • Does your web app store or access data that your users will want you to protect?
    • Do you have a ISO27001 or SOC 2 or equivalent accreditations?
    • Is your development outsourced to an external team or company?
    • Is your cloud software used by enterprise customers or are planning to get more enterprise customers?
    • Is there a significant business impact if your web app's security holes are left unpatched and then exploited by an attacker?
    • Is it important for you to have a real time understanding of your web app's threat landscape?

    Answering yes to any of the above questions means that your software is being modified often enough; and/or that your users expect you to keep their data safe; and/or you need to prove to enterprise customers or auditors that you have a consistent and strong application security program in place. 

    Add to this the fact that most software breaches are a result of available patches or code fixes not being inititiated by the software engineering team, despite being readily available. I could present you a slew of numbers on this, but take this as just one very common example:

    User-friendly web app vulnerability scanner for software developers


    SQL injection is a vulnerability that has been well known, understood and patchable for well over 2 decades. Yet, such vulnerabilities are routinely introduced and reintroduced into software and not picked up until an external consultant performs their penetration testing services.

    If you are aiming to be in the top 8% of SaaS companies who want to shift left with security, then you need an application security program that offers the benefits and inclusions of our pentesting-as-a-service solution.

    Do you want to see a turnkey AppSec solution that includes a vulnerability scanning tool + on-demand manual pentests?

    Who get's blamed for security breaches at software companies?

    Usually it's the development team. Then the blame filters up to management. Who will most likely turn aroudn and fire any external service providers.

    But you can't blame sofware developers for not fixing a vulnerability if they don't have access to a vulnerabilty scanning tool that's made for SaaS engineering teams in the first place, can you?

    That would be like expecting a dishwasher to clean your dishes without any dishwashing tablets, no?

    When you combine the above variables with something as worrying as the following statistic, it becomes clear why you need to provide your software development team with a vulnerability scanner that can help them find and fix vulnerabilities on their own:

    User-friendly web app vulnerability scanner for software developers


    Now, the only remaining question to ask is:

    Is there a vulnerability scanner that is built for software developers?

    TL;DR Yes, there is. Get Your Free Trial of Cyber Chief to see how it might work for you and your developers. 

    Cyber Chief is not just another tool to add to your tool to add to your stack. It's purpose-built to help your developers find and fix vulnerabilities before new versions of your application go into prod.

    It's a key component of ensuring that you have best-practice software security processes in place.

    But in case you don't trust my recommendation, let me first briefly explain to you what makes a web app vulnerability scanner suitable for use by your software engineering team.

    7 crucial features of vulnerability scanners for DevOps environments

    There are seven key features of a vulnerability scanner that you must consider when choosing one for your software development team:

    1. Do you need a dynamic scanner that actually attacks your web application or just a static scanner that identifies vulnerable code? Ideally, you should have both because they help you in different ways. 
    2. Does the vulnerability scanner provide fixes for each vulnerability in the languages that your application is built with? If not, your engineers will become frustrated and confused as they waste their time trawling through Google for the right fix.
    3. Dashboards - they're not there to only look pretty, but to also give a complete picture of your application's security posture.
    4. Vulnerability management - it's no good just finding vulnerabilities. They have to be ordered, presented and managed automatically for you in a way that helps your team assign accountability, collaborate where necessary and prioritise which vulnerabilities need to be fixed first. 
    5. Is the vulnerability scanner user-friendly? Can your team initiate scans with just one click or do they need to maintain different scripts and add plugins just to run a scan?
    6. Is the vulnerability scanner cloud-based or do each of your engineers need to install different packages on their local systems? 
    7. Does the scanner work with your DevOps or CI/CD deployment pipelines and processes?

    How to choose a vulnerability scanner that will grow with your application security goals

    You'll notice for some of these key considerations, there is no right or wrong answer. For example, a cloud-based vulnerability scanning tool might not work for all corporate environments that are heavily suspicious of cloud platforms! 

    On the other hand, it's absolutely crucial that the vulnerability scanner you choose has best-practices fixes that are relevant to your tech stack, along with an insight dashboard and full vulnerability management and collaboration features. 

    It's not hard to find a vulnerability scanner that find all our vulnerabilities. It is hard to find one that will also be easy to use, require almost zero setup and won't slow down your software development team. 

    It's even harder to find a vulnerability scanner with features that will scale with your team from a technical perspective, but also from not cost you an arm and a leg.

    We know this because we conducted primary product research with respected security experts and software engineers around the world. Then we designed, built and enhanced our own web application security testing tool, Cyber Chief. 

    Click the button below to get your own free trial of Cyber Chief to see how it works in your environment, on your cloud software and for your software engineering team.


     
    SaaS Brief