Opinion: Almost every business that has computers buys an antivirus solution. However, relatively few businesses that have their own websites buy vulnerability scanners. I believe that most people don’t buy solutions to protect their web applications not because they don’t feel that it’s necessary but because they don’t realize that effective solutions exist.
Imagine talking to a friend of yours and saying that you bought a new mobile phone. Imagine that their response was: oh, I have a very cool mobile phone, too, I think it’s pretty modern – and that phone turns out to be the original Nokia 3310. This situation may sound grotesque and very improbable. However, in the world of web security, it’s not that improbable at all.
Do You Know DAST?
When I recently saw a security-themed report from one of the biggest DevOps providers in the world, I was completely shocked. They analyzed the state of security of their repositories using primarily SAST tools and only scanned for certain minor issues using DAST. They explained their approach by saying that “dynamic scanning tends to primarily only find low priority vulnerabilities unless the scanners are configured to authenticate the web applications and successfully spider the entire application”.
When I read the above reasoning, I was speechless. Acunetix has been on the market for 15 years and it was always based on an advanced crawler that could spider the entire web application. It also had the ability to enter authenticated areas for many years using the Login Sequence Recorder. How could a huge DevOps technology and repository provider not know this?!
The sad truth is – we come across similar situations quite often. It seems that the web application security market is simply evolving too fast for security experts to follow – even if those security experts work for one of the biggest DevOps providers in the world.
The Burden of History
Many security managers suddenly find themselves in charge of web security because the business is moving to the cloud. Such managers have years of experience with network security but often no experience with web security at all. While network security gives them an excellent starting point, in my opinion, it makes them cling too much to their old habits.
For example, our potential customers often ask us what vulnerability databases do we use for our checks (e.g. CVE). The question itself immediately exposes the fact that the person who is asking does not understand how a web vulnerability scanner works. They think it works like a network scanner – on the basis of signatures – and is intended to find known vulnerabilities only, which is far from the truth.
Perhaps one of the reasons why the report mentioned above included such misconceptions about DAST was because the authors come from the world of network security and haven’t yet had enough time to get to know the web security market?
Open Source Is Not Good Enough
Dynamic scanning is often misunderstood because people base their opinions on open-source DAST solutions. And the sad truth is that in the world of dynamic web application scanning, open-source solutions do not deliver at all.
Open source is a blessing in general. There are lots of very powerful open-source products such as Linux, LibreOffice, and more. However, if you try to force a professional to work with Gimp instead of Photoshop, Inkscape instead of Illustrator, or Audacity instead of Cubase, many will quit the next day. It’s the same with web application security solutions – open source simply does not measure up.
It’s true that there are many valuable open-source security projects such as Snort, Nmap, ModSecurity, and more – but all of them are manual tools. There are good manual web application security scanners based on the open-source model. However, none of them compare to professional products such as Acunetix.
I believe that the primary reason why the report mentioned above included such misconceptions was the fact that the authors of the report simply used free tools. When it comes to open-source dynamic scanning solutions, their statement is absolutely true – they need a lot of manual configuration to give sensible results.
Out of the Comfort Zone
When writing this opinion piece, I recalled the time when I was first approached by Acunetix as a candidate for recruitment. When that happened, I asked a friend of mine – Michael, a professional security researcher working for a major government institution – for his opinion of Acunetix. Michael’s response was – “it’s a good tool but many people think that it will find everything for them, I prefer using manual tools such as Burp Proxy”.
I believe such an approach, quite typical for many security researchers, is caused by several factors. Some researchers are afraid that automatic tools will replace them (which is very unlikely due to the huge cybersecurity skill gap). Others believe that an automated scanner will never find as much as a manual test (and it’s true, that’s why the two need to co-exist).
It seems that my friend Michael did not realize that the scanner is supposed to give him time to actually hack instead of wasting time manually checking for the simplest SQL injections on every form available in a huge web application. There are professional hackers who use Acunetix to find security holes in services provided by giants such as Google. And not just once.
SAST vs. DAST
Last but not least, I believe that the false opinion about DAST is caused by the fact that for years, SAST has been perceived as the only viable solution for DevSecOps.
The opinion that DAST is not usable in CI/CD pipelines is simply an old myth, which is still repeated by many (including some SAST manufacturers). For example, you can use Google search to find several sources that state that DAST can only be used late in the SDLC. This is not true – we have many clients that run Acunetix tests after every internal build. Such sources also state that web application security scanners have no way to point to problems in the source code, while AcuSensor proves them wrong by using unique active IAST technology.
In a healthy DevSecOps environment, SAST and DAST should coexist because each has its unique advantages. However, modern DAST is more universal, takes much less time to implement, and makes a better starting point.
Spread the Word
How can we get rid of such misconceptions about DAST?
We need your help. We need you to test modern DAST tools such as Acunetix and spread the word. Share this post on your social media, send it to other security people that you know, make sure that they are keeping up with the latest developments in web application security technology.
Get the latest content on web security
in your inbox each week.