<- Go back to blog

Modern Technology Environments Demand Modern Application Security Testing

Regardless of how diligent a development team is or how many security checks they run in their development environments, vulnerabilities will creep into production systems — and the very complex and ever-evolving nature of today’s production environments requires modern application security testing capabilities. The software security and quality challenge affects everyone. And without secure software, security teams can’t secure their systems and data.

In this article, I explain how to think about secure software development and how to choose the right tools for today’s software security challenges.

Before I explain precisely what modern application security testing means, we should first detail why security vulnerabilities will always appear within production environments. Instead, no matter how talented or conscientious your developers and application security testing teams work, flaws will be missed during the development and deployment. Second, today’s production environments are constantly changing. You need tools to adapt and dig deep into web pages and applications.

There was a time when website and enterprise applications were created and deployed much differently than today. First, they were typically designed and deployed with three distinct tiers: presentation, application, and data. While that three-tier model isn’t gone, it has significantly evolved with the rise of cloud computing, microservices, APIs, and containers that modernized it so that web and enterprise applications could be even more dynamic, scalable, and resilient if application security is done right.

Second, the primary development method during this time was known as waterfall. As the name suggests, applications were fully developed and then deployed in linear, sequential steps that flowed like a river and ended in an extensive deployment. Security testing, if done at all, was completed toward the end of the development process or when applications were already nearing or even in production.

These “big bang” deployments have mainly been replaced today by continuous application development, delivery methods, and even some cases of continuous deployment. Here, organizations deploy a minimal viable product that is then continuously updated. Ideally, security and other application testing occur continuously. Testing also needs to continue after deployment.

Without continuous or at least periodic testing, vulnerabilities arise as new software features are added, APIs are updated, and new integrations are created and missed. These systems change daily.

What does all of this mean for the effectiveness of legacy security testing tools? Quite a bit.

Older web crawlers were developed for that earlier time, before the rise of APIs. Most legacy scanners are not capable of even properly assessing single-page applications. For instance, I’m amazed at how often we get comments from clients and prospects evaluating Probely and telling us that Probely scans can reach sections of their applications that no other assessment tool they tried could.

There’s a story of one of our prospects, who is now a client, who was evaluating Probely and different competitors, and they found a high-risk vulnerability in one of their applications that no one else could see. They couldn’t figure it out. They emailed us asking how we did it. They wanted to meet with us to understand what led to the finding. We had to investigate how we found that vulnerability and prove it was real. We also tried to figure out why no one else found it. The conclusion was coverage: Our crawler successfully found that endpoint and all the competitors failed to see that endpoint.

This story highlights the importance of finding and using a dynamic application security scanner (DAST) built to assess the modern business-technology environment, which can accurately assess web applications and APIs. Here’s what to expect from a modern DAST that can get that done: 

Technology Agnostic: A DAST scanner should be technology agnostic, meaning it can effectively test applications regardless of the programming languages or technologies used to build them. This is particularly beneficial in today’s diverse and complex application landscapes, where applications often compromise multiple components developed by different teams using various languages.

Focus on Developer Experience: The modern DAST scanner is developer-friendly. It operates in a way that mimics hackers, directly demonstrates problems, and can present evidence of exploits. This makes vulnerabilities more tangible for developers and provides them with tailored instructions on how to fix the issues based on the application’s technology stack. This focus on actionable insights and minimal false positives saves developers significant time and effort, enhancing their productivity and the security posture of their applications.

Integration with CI/CD Pipelines: Probely advocates for integrating DAST scanners within Continuous Integration/Continuous Deployment (CI/CD) pipelines. This integration is crucial for embedding security into the development process, turning DevOps into DevSecOps. By customizing tests and ensuring a dedicated testing environment, DAST can significantly identify risks and vulnerabilities in real-time, facilitating a more secure and efficient development lifecycle.

Comprehensive Vulnerability Detection: The DAST scanner is designed to identify a wide range of vulnerabilities to provide detailed reports and remediation guidance. Comprehensive coverage ensures that applications and APIs are tested thoroughly.

Minimization of False Positives: A significant advantage of DAST is the ability to minimize false positives compared to other testing methodologies. This efficiency in accurately identifying genuine vulnerabilities reduces the burden on development teams, enabling them to focus on addressing real security issues rather than sifting through erroneous alerts.

When we started building Probely, there were two main issues on which we focused. The first was coverage, and the second was solving the false positive challenge. We realized that building something from scratch was the only way for us to do a good job.

We knew we could succeed. We had much experience developing browsers, JavaScript, and other web page languages. We used our knowledge to create a crawler that was unlike anything else in the market.

Also, we succeeded because we focused on solving one of the biggest challenges plaguing web application scanners: false positives. We employed many techniques, from heuristics analysis to developing accurate ways to detect particular vulnerabilities. We also worked on being able to safely exploit the vulnerabilities we find so that we can gather the needed proof that a specific flaw is fundamental. For instance, when we detect a SQL injection flaw, we have a particular module that will use that vulnerability to connect to the database and prove exploitation is possible.

Finally, to remain effective and relevant as a web application assessment tool, revising one’s security assessment product when necessary is essential. And we have done so. After a few years of use, we noticed new issues that would impact our crawler. Instead of building around those existing issues, we rebuilt a second version of our crawler from scratch. This fixed what we wanted to improve and allowed us to incorporate all of the lessons we learned during our first few years. 

Unfortunately, many legacy providers keep holding onto the baggage they created when they first developed their products. After a time, they end up with intractable structural challenges. 

So that organizations can secure their modern web applications and development pipelines, it’s essential to choose a current DAST scanner. One that is technology-agnostic, developer-friendly, and provides seamless integration with CI/CD pipelines, comprehensive vulnerability detection capabilities, and efficient minimization of false positives. Collectively, these attributes enhance the security testing process, making it more effective and aligned with modern development practices. 

But you don’t have to take my word for it. I am unabashedly biased. You can try Probely for yourself without charge and see its ease of use, accuracy in detecting vulnerabilities, and the quality of its reporting and remediation guidance.