Web Application Security Testing: Struggles, Shortfalls and Solutions

High-value data, mission criticality, and sheer numbers make web applications a compelling target for cyberattacks. According to Verizon’s 2023 Data Breach Investigations Report, web applications were the most commonly exploited vector in both incidents and breaches last year.¹  

There’s another reason why web applications may be so attractive to threat actors. Most security teams simply cannot keep pace with demands for application updates and patching, testing, and vulnerability remediation. As a result, many organizations struggle to protect their mission-critical web apps, which typically number in the dozens or hundreds.

To uncover current web application security testing challenges, requirements, and approaches, CyCognito sponsored a survey of several hundred U.S. and U.K. cybersecurity professionals. 

Key findings from the survey:

• Large attack surface: Organizations are exposing hundreds of web applications that are developed in-house and by third-party partners.

• Frequent incidents: More than 35% of respondents said their organization experiences a significant web app security event at least once a week. 

• Ineffective tools: Many respondents said they were concerned that tools for protecting web apps, such as web application firewalls, were not up to the job.

• Inadequate testing: Nearly three-quarters (70%) of survey participants said the number of web applications in their environment was too large for adequate testing. 

• Remediation difficulties: More than half of respondents indicated they struggle to remediate the vulnerabilities uncovered by web application testing. 

Web app security concerns      

Modern organizations rely on a vast number of web applications, both internally developed and from third-party vendors. This sprawling attack surface, constantly changing and growing, creates significant security concerns. These concerns varied among survey respondents, even though all of them had significant experience conducting or managing vulnerability scanning, web app security testing, or other SecOps tasks. 

The top concern was the overall threat posed to web applications, highlighting their criticality. Following closely were concerns about siloed teams (Dev, SecOps, etc.) hindering collaboration and the ineffectiveness of existing security tools, such as web application firewalls (WAFs).

Testing roadblocks

From DAST and IAST to penetration testing, organizations use a variety of methods to identify vulnerabilities, misconfigurations and other weaknesses in web applications. However, regardless of the method, most organizations only test monthly or less often, according to the survey. Also, tools are applied to a small portion of the attack surface. The results showed that comprehensive (100%) coverage of web apps by different test methods was limited, ranging from 5% to 13%. Infrequent or selective testing leaves web apps vulnerable to threats. 

Reasons why respondents do not test more often or cover more of the attack surface included:

• Too many apps and APIs
• Not enough time
• Frequent app updates and changes
• Insufficient staff
• Budget limitations

Remediation challenges and the need for automation

With an ever-growing number of vulnerabilities discovered each month, prioritizing remediation is crucial. However, over half of survey respondents struggle to address the vulnerabilities identified during testing. Staffing shortages and complex workflows further impede effective remediation. Looking forward, many respondents view automation as a top priority to streamline testing processes.

Solving the web app security testing dilemma

Taking into account the above constraints, how can organizations improve their testing frequency, coverage, and effectiveness? The following solutions represent best practices that can help achieve these goals:

• Continuous monitoring, which provides ongoing visibility into the attack surface, can improve proactivity and guide remediation activities.

• Automation can save time, money, and effort as long as it does not create other problems, such as generating false positives. Nearly two-thirds (65%) of respondents said increasing automation in their web application security testing will be a priority over the next year.

• Production testing (vs. sandboxing or offline testing) ensures that all elements affecting a web app are taken into account, including databases, open-source libraries, and authentication mechanisms.

Automated active security testing incorporates all of these factors. It eliminates tedious, labor-intensive manual processes by conducting continuous or frequent testing of all web apps and associated APIs in the environment, identifying risks with a high degree of accuracy, and filtering out low-priority issues or events. 

These sophisticated solutions can meet survey respondents’ top requirements for web app testing tools: 

• High accuracy 
• Continuous testing 
• Active testing of production apps without impacting them
• Risk prioritization 
• Robust automation capability
• Ease of use 

To help meet these requirements, 63% of survey participants said they plan to purchase a solution that enables continuous security testing of all web apps.

The CyCognito solution

CyCognito’s automated active security testing solution, part of its external exposure management platform, features the following:

• Automated discovery and attribution of external web assets
• Continuous testing of web apps using tens of thousands of tools, including DAST
• A prioritization engine that evaluates test findings in relation to exploit intelligence and business context. 

This SaaS solution delivers unmatched asset coverage and broad and deep insights on par with pentesting.

Interested in learning more about overcoming these web application security testing challenges and how you can achieve continuous testing? Download the report to dive deeper into the findings and discover best practices for conquering your web app security testing woes. Alternatively, contact CyCognito to learn more about how our active security testing can offer a solution for your organization.

¹ Barracuda Networks mitigated more than 18 billion attacks against web apps and APIs in 2023. https://blog.barracuda.com/2024/02/07/threat-spotlight-attackers-targeting-web-applications-right-now#:~:text=The%20number%20of%20attacks%20targeting,1.716%20billion%20in%20December%20alone.