From web-based email to online shopping and banking, organizations are bringing their businesses directly to customers' web browsers every day, circumventing the need for complex installations or update rollouts. Additionally, organizations are rolling out internal web applications for finance, marketing automation, and even internal communication that are often homegrown, or at least fine-tuned for their particular needs.

While web applications offer convenience to businesses and customers alike, their ubiquity makes them a popular attack target for cybercriminals. As a result, web application security testing, or scanning and testing web applications for risk, is essential.

As the 2018 Verizon Data Breach Report shows, web applications are a popular attack target in confirmed data breaches, and in some industries up to 41% of data breaches are web application-related. The report also found that about half of web application-related breaches took several months or longer for security teams to discover. The longer an attacker has access to systems, the more damage they can cause. Attackers must be discovered and removed as quickly as possible, but that’s often easier said than done.

As attackers increasingly target web applications, they are able to refine and battle-test their methods, increasing their sophistication. Even if a company follows best practices to protect itself against common web application attacks (like the OWASP Top Ten), this may not be enough. Breaking into web applications can be lucrative for criminals—they are motivated to use the latest and greatest in attack methods and tools, and they may have the resources of organized crime behind them. This kind of muscle can be hard for a business to combat alone.
Web applications can also be so complex that they confuse systems designed to automatically detect an attacker's intrusion. That is why common tools like intrusion detection alone aren’t sufficient; web application security testing can fill the gaps.
Our consultants at J S Teksys perform three types of Application Testing.

Dynamic Application Security Testing (DAST):
A DAST approach involves looking for vulnerabilities in a web app that an attacker could try to exploit. This testing method works to find which vulnerabilities an attacker could target and how they could break into the system from the outside. Dynamic application security testing tools don’t require access to the application's original source code, so testing with DAST can be done quickly and frequently.

Static Application Security Testing (SAST):
SAST has a more inside-out approach, meaning that unlike DAST, it looks for vulnerabilities in the web application's source code. Since it requires access to the application's source code, SAST can offer a snapshot in real time of the web application's security.


Application Penetration Testing:
Application penetration testing involves the human element. A security professional will try to imitate how an attacker might break into a web app using both their personal security know-how and a variety of penetration testing tools to find exploitable flaws. You can also outsource web application penetration testing services to a third party if you do not have the resources in-house.
Web application security is more important than ever. By implementing a web application security scanner and following some basic best practices for both testing and remediation, businesses can significantly reduce their risk and help keep their systems safe from attackers.

Static Code Analysis:
Static analysis, also called static code analysis, is a method of computer program debugging that is done by examining the code without executing the program. The process provides an understanding of the code structure, and can help to ensure that the code adheres to industry standards. Automated tools can assist programmers and developers in carrying out static analysis. The process of scrutinizing code by visual inspection alone (by looking at a printout, for example), without the assistance of automated tools, is sometimes called program understanding or program comprehension.
The principal advantage of static analysis is the fact that it can reveal errors that do not manifest themselves until a disaster occurs weeks, months or years after release. Nevertheless, static analysis is only a first step in a comprehensive software quality-control regime. After static analysis has been done, dynamic analysis is often performed in an effort to uncover subtle defects or vulnerabilities. In computer terminology, static means fixed, while dynamic means capable of action and/or change. Dynamic analysis involves the testing and evaluation of a program based on execution. Static and dynamic analysis, considered together, are sometimes referred to as glass-box testing.

© J S Teksys Inc. 2019. All rights reserved.