Technologies persuasive power is undeniable; adults spend an average of four hours online every day. And, in today’s hyper-connected world, there is a very real risk of falling victim to a cyber-attack.
46% of UK businesses reported a cyber-attack or breach in 2020, with many of them experiencing an incident at least once a week – and the impact can be significant. The Centre for Economics and Business Research (CEBR) estimates the annual financial impact of cybercrime on UK businesses to be £34 billion – split roughly 50-50 between lost revenue and increased IT spending.
Hackers never stand still, and as technology naturally evolves, cyber threats will continue to grow. Proactivity is the key. With a robust security program in place, businesses can mitigate the risks associated with a cyber breach.
What is web application penetration testing?
A common way to assess a websites security posture is through annual penetration testing. This is an in-depth manual security assessment that simulates real-world attacks to uncover exploitable vulnerabilities. The results enable web application owners to implement fixes before a hacker finds them.
However, a penetration test is only a snapshot in time. What if a new vulnerability is discovered in the web server or a misconfiguration is introduced by a developer? There is no guarantee that a significant vulnerability or weakness is not present in a web application, even with fixes in place. This is where vulnerability scanning is valuable.
What is web application vulnerability scanning?
Vulnerability scanners are off-the-shelf tools that can run thousands of automated tests against a web application. They test web applications for known security vulnerabilities such as cross-site scripting and SQL injection, which hackers could use to obtain sensitive data or gain unauthorised access to systems. The automated nature of vulnerability scanning allows businesses to identify and fix security weaknesses on a continuous, periodic, or on-demand basis – a process known as vulnerability management.
The benefits of web application vulnerability scanning
- Coverage and speed: vulnerability scanners can perform tests significantly faster than a manual test analyst, and with the ability to perform 1000s of tests, they can cover more – quicker.
- Visibility and scalability: tests can be run to a schedule or triggered based on an event such as the release of a new software feature – providing businesses with an up-to-date overview of current vulnerabilities or weaknesses. And, as a cloud-based tool, it can be scaled up or down quickly based on requirements.
- Cost-effectiveness: the speed of testing and the coverage that vulnerability scanners can achieve mean that they can often be a more economical choice for frequent testing over manual penetration testing.
The limitations of web application vulnerability scanning
- A false sense of security: vulnerability scanners are only as good as their latest update. They rely on a database of known vulnerabilities, and if tests are run against outdated information, there is a potential to miss vulnerabilities.
- Manual interpretation: because scanners can often flag valid behaviours as something suspicious, the results still need to be manually reviewed. If the scans are being run in-house, someone with technical expertise will need to interpret the results quickly and accurately. Otherwise, it could take critical time away from exploitable vulnerabilities.
- Attack chains: hackers can use a combination of vulnerabilities to compromise a web application. Vulnerability scanners are unable to simulate attack chains, and as a result, low-level vulnerabilities could result in a significant breach – something only a manual penetration test can identify.
What is the right choice? Penetration testing or vulnerability scanning?
Accelerated digital transformation and a continuously evolving threat landscape mean that cybersecurity should be high on the priority list for all businesses.
Both penetration testing and vulnerability scanning each have their place and they come with their own pros and cons. Nothing can beat the curious and ingenious mind of a security analyst, but their capacity is limited and simply can’t test at the same speed or frequency as vulnerability scanners.
At Zoonou, we believe an effective cybersecurity solution is a combination of both approaches. First, we baseline the web application’s security posture with an in-depth manual penetration test and then run periodic vulnerability scans between subsequent penetration tests – bringing together the best of both worlds to proactively safeguard data and applications.