Modern application security requires speed, scale, and collaboration

Detectify is on a mission to make the Internet safer through automation and crowdsourced hacker knowledge. We recently published “A guide to modern web application security” for SaaS and tech organizations looking to bring their security up to speed with development. Download your free copy of the guide here.

Organizations are shipping code daily, making it challenging for security teams to keep track of changes in the web application and keep up with new security threats. Attack surface reduction is rising steadily on the priority list for security defenders, as opportunistic cybercriminals are finding new vulnerabilities by the second using scripts and automated hacking tools.

Between November 2020 to February 2021, over 5232 CVEs have been reported on NIST, which paints the picture that there a lot of vulnerabilities continually disclosed. There’s an even bigger spotlight on finding security practices that will keep up with this growing mountain of vulnerabilities and exposures in a scalable and sustainable way. The modern approach to security requires speed, scale and collaboration.

SPEED

Finding vulnerabilities in time saves you money – and headaches.

According to a FireEye analysis, they found multiple disclosed vulnerabilities exploited on a large scale within 48 hours of PoC or exploit code availability, while others within hours of a patch released. Security Boulevard reported that it takes an average of 7-14 days after CVE disclosure for it to show up in the wild. 

This makes a strong case that app owners and security teams need to keep their fingers on the pulse of vulnerability. This means curating or building automated testing to detect newly listed CVEs or known vulnerabilities within hours of disclosure and being able to act on high-severity vulnerabilities in production as soon as they’re verified as exploitable.

Today new vulnerability research can be analyzed and developed into technologies for testing in as fast as 25-minutes in Detectify’s security lab. With an app sec solution like Detectify, there’s no need to build your security testing for CVEs and other known vulnerabilities.

SCALE

An organization’s security priorities are shifting from “are we compliant?” to “are we able to detect an incident as soon as it happens?” 

A modern approach to security means building out a security strategy that enables answers to the latter sooner. If security prevents someone from doing their job, then it’s likely to prevent business from developing. That’s the opposite of scaling.

Automated checks and frequent audits of live code in the background are a couple of things that facilitate security to work with development and not against it. Running dynamic application security testing (DAST) or black-box testing on a regular basis can put more confidence in the products on the market, and you have a piece of mind that detection is in place to stop real-life attacks and find actively exploited vulnerabilities in time.

In a security-mature company, developers and Ops include security with software development by scanning for vulnerabilities after deployment and in the background regularly. This means scans are initiated automatically and only alert if something critical is found, making sure any severe security bugs found in production are remediated as soon as possible.

COLLABORATION

It takes more than one security tool to keep web applications secure against vulnerabilities.

Today’s leading tech organizations rely on a combination of hacker-powered security research and security automation to ensure a constant level of application security awareness and scalable defense along the front lines that make up the organizational attack surface.

DAST is no silver bullet for the application security of modern apps and products. Still, it complements and even maximizes the value you can get out of adjacent app sec options: pentesting and hosting bug bounty programs. The reality of today’s security toolbox is having a handful of services that specialize, leveraging their strengths results in a broad and practical approach to security.

How does security automation complement pentesting and bug bounty programs?

Take a look at how these tools work together.

Why manual pentesting and automation go hand in hand

Bug Bounty and Automation make a formidable pair together

How can Detectify help you with a modern approach to security?

Detectify offers cloud-based web application security solutions that streamline vulnerability findings to application owners. Detectify collaborates with ethical hackers to source the latest security research from hacker-to-scanner in as fast as 25 minutes, and delivers reliable payload-based testing to customers. This means verified results and clearer visibility with less noise. With Detectify you will bring security up to speed and scale with development, and go to market safer. See it for yourself with a free 2-week trial. Sign up today.

Jocelyn Chan is the Content Manager at Detectify. She is a self-proclaimed hype-girl for automated web security powered by white hat hackers and believes that the future is in the crowd. She also would like to connect more women in tech and security together which is why she is co-leading the Women in Security – Stockholm Chapter. And yes she has seen Hackers, and believes that it's so good because it's so bad.