Why Web Application Security Assessments Should Move Up Your To-Do List

Why is it important to get web application security assessments in addition to your annual penetration testing? Recent data shows a rising number of attackers are targeting the web application layer. The 2020 Verizon DBIR found that web application attacks doubled from 2019 to 2020. And the trend continues into 2021. New data announced last month from Microsoft found that web shell attacks (a key entry point for web app compromise) have increased every month from August 2020 to January 2021 – and are now almost double the monthly average of the previous year. Furthermore, another study shows that ransomware attacks are increasingly targeting the web application layer; this makes sense since web applications are often some of the only services organizations have publicly exposed.

So, how do you reduce your risk, and what should you expect from these tests? LMG Security’s CTO Dan Featherman and our experienced web app security testers Braelynn Luedtke and Ross Miewald share the ins and outs of web application security assessments in this Q & A.

Question: What are web application security assessments and how are they different from a penetration test?

Answer: While penetration testing is a key component of cybersecurity, it is only part of the solution. External pen tests generally only extend to the surface level with web applications. Most organizations request network penetration tests and pen testers are not given credentials to web apps, so web application security assessments are generally not part of a standard pen test.

Our team likes to say that if the standard network penetration test is a mile wide and an inch deep, web application security assessments are an inch wide and a mile deep. With a web app assessment, the scope has a very narrow focus. Testers evaluate multiple levels of credentials and permissions. Web application security assessments dive deep into the application and API. They frequently reveal valuable data about security gaps in applications that can disclose PII, or vulnerabilities that can be used as a pivot point for hackers to enter a network. Our experienced team can pen test almost anything. While many clients don’t request the web app assessment individually or as part of their pen test, they should. With the rise in attacks at the web application level, we recommend that all customers using any type of web app should have a web application security assessment.

Question: When is the best time to get a web application security assessment?

Answer: Generally, most organizations have web application security assessments annually, or when there is a major change. Our team recommends a new test if any of the following occur:

• Creation of a new web app
• Major functionality changes to existing apps
• New integrations are added to existing apps
• When you implement Multi Factor Authentication (MFA)
• You are one update cycle after a web application security test in which vulnerabilities are found – retesting is key to ensuring all gaps were successfully remediated

Web application security assessments are helpful both pre- and post-production. Many web applications use common libraries with underlying components that could have exploitable vulnerabilities. Unfortunately, many web apps don’t get patched like traditional systems, and periodic web application security testing can help organizations uncover these security gaps.

Question: What common vulnerabilities do you find in these assessments?

Answer: The LMG Security team has done many, many hundreds of web application security assessments. Some of the concerning things companies many discover during these tests are cloud misconfigurations, leaked admin credentials, authentication issues, and API information disclosures. With web application use increasing over the last 5 years, our team feels these tests simply don’t get the attention they deserve. Web application security assessments provide a deeper dive into applications and APIs that can unearth critical security vulnerabilities. Here a few examples:

• An authentication error can enable hackers to bypass authentication and extract Personally Identifiable Information (PII), Confidential Information (CI), and more.
• A simple misconfiguration could result in the compromise of administrative credentials or keys that enable hackers to access data or systems.
• With the proliferation of IoT and “smart” everything, you may have web applications hanging out on the Internet that you don’t even know about. We’ve seen everything from building HVAC systems, unsecured surveillance systems, and APIs that returned healthcare data. The compromise of these applications could lead to hackers holding that physical facility, system, application, or even the organization’s data hostage.

The most common vulnerabilities are information disclosures, header and cookie misconfigurations, username enumeration, lack of MFA, as well as cross-site scripting, cross site resources sharing, and cross site request forgery.

Question: What is LMG Security’s Web Application Security Assessment Methodology?

Answer: We created our web application security assessment program to evaluate all the OWASP Top 10 Web Application Security Risks. These are the core foundational components of our testing, and we use the annual OWASP vulnerability findings extensively. We test for the first 9 risks directly, and our team communicates with your internal team about the flagging and alerting that occurs during the test so you can use this information to evaluate whether you have sufficient logging and monitoring. If you have any questions, we are here to help! Finally, we generally prefer to test in QA if QA and production are separated. This helps to avoid unintended denial of services. Keep in mind that we can customize any of our testing services to meet your unique needs.

For more detailed information on web application security assessments, contact our friendly service team.