How Often Should You Scan Websites and Web Applications for Vulnerabilities?
Web Applications and Websites Exist in a Dynamic Environment
There is no questioning the fact that the web
application security landscape is in a constant state
of flux. The pace of change is not only rapid but resembles a
constant game of cat and mouse between hackers and security
professionals.
Any business or
entity who maintains an internet presence is at risk of being hacked.
It doesn’t matter whether you have a simple information based
website designed to promote your business or a web application that
handles customer data or complex financial transactions — your
presence alone creates an inherent risk.
One of the most
effective ways to mitigate your risk is by being proactive not only
throughout the development phase but also once your website or
application goes live.
Determining how
often should you be scanning
your web applications for vulnerabilities during the
development phase and post-deployment is not as easy as you might
imagine. While it would be nice to propose a one-size-fits-all
solution, it’s just not possible. Each situation needs to be looked
at independently. You need to make an assessment based upon the
individual risk factors associated with your website or web
application.
Scanning Websites and Applications Under Development
Coding performed by
humans is subject to security vulnerabilities — this will never
change. The simple fact of the matter is that people make mistakes.
As websites and applications become more complicated, it becomes
increasingly important to check for vulnerabilities at regular
intervals.
Much like a house
requires a strong foundation, so does a website or web application.
Anything built on a weak foundation is at risk of needing to be torn
down and rebuilt.
Ideally, any
web application or website under development should be manually
reviewed and scanned with an automated tool at regular intervals.
This work should be performed by both developers and pen-testers.
The exact frequency
should depend on your particular situation. A good rule of thumb is
to make sure you do not build a new layer on top of one that might
contain vulnerabilities. You should be scanning at each critical
juncture in the development process, just as you wouldn’t build a
second floor on top of a first floor that was structurally unsound.
Scanning Deployed Websites and Applications for Vulnerabilities
Just because your
coding practices are sound and were consistently reviewed during the
development phase, does not mean you’re out of the woods. As soon
as your website or web application has been deployed, it’s a good
idea to determine an ideal frequency of scanning. Deciding on an
appropriate frequency requires that you give consideration to a
variety of factors including:
- Technological Change - The pace of technological change is rapid. As a result, websites and applications frequently introduce new functionality. An example would be the introduction of WordPress REST API (which so far has proven to be secure). Anytime there is a change, reevaluation is a good idea.
- Increased Application Functionality - As users demand increased functionality from web applications, developers are faced with a naturally increasing attack surface. It presents a real catch-22 because the end user sees your website as providing more value, but that same value unknowingly causes a corresponding increased security risk.
- Newly Discovered or Popular Vulnerabilities - Hackers will continue to find new ways to exploit vulnerabilities and take advantage of end users. Their strategies change and adapt as required. For example, ransomware has seen a surge in popularity in recent years.
All three of these
situations (technological change, increases functionality, and new
vulnerabilities), result in a need to frequently scan your website in
an effort to stay one step ahead of hackers.
As a general rule,
the more functionality your website provides, and the more
interaction there is between your web application and the end user,
the more frequently you should consider scanning.
It’s also
important to consider whether your web application gathers sensitive
user information or performs financial transactions. Both of those
scenarios would indicate a need for more frequent scanning.
At the same time,
don’t forget that while mission critical web applications should
receive first priority, you should still be scanning more benign
websites like those responsible for marketing and promotion.
In addition to
regularly scheduled vulnerability scanning, there are a few more
factors to consider in regards to frequency.
Any time you update
your software, whether it’s to add functionality or patch an
existing vulnerability, you should perform a scan. At the same time,
if there are reports of a new exploit in the wild, don’t wait until
your next scheduled scan — be proactive.
Regular Scanning Reduces Your Risk of Exploitation
The most important
thing to remember is that it
only takes a single web application vulnerability to cause potential
untold harm to your business, or to your customers.
Combine that risk with a highly dynamic environment, and you have a
situation that requires a continual state of vigilance.
For a security
professional, this translates into the need to perform regular
vulnerability scans. It’s better to scan to frequently, than not
frequently enough. The inconvenience of being proactive is less
than the probable negative impact, as a result of being hacked. And
the last thing you want to tell your customers was that your security
procedures were too relaxed.
How Often Should You Scan Websites and Web Applications for Vulnerabilities?
Reviewed by Zion3R
on
1:59 PM
Rating: