How to Choose and Implement a Great Vulnerability Assessment Tool

…the project of web application security will never be truly finished!

The sheer range of solutions for web application security and vulnerability assessment tools can be intimidating for CISOs, Development Managers, or basically, anyone dealing with vulnerable web applications.

Since many companies face implementing a web application security tool, we put together a guide for tackling your „web app security“ project using vulnerability scanning tools.

Some parts of this article might be more helpful to you than others, depending on your current security status and how much research you’ve already done. So let’s get to it.

Define the problem

As with many business issues, your first step is defining the pain point you’re having right now.

What harms your business? What do you want to improve? What could make your employees more productive?

There might be more than one factor that can be improved when it comes to web application security and vulnerability management, so you will have to look at your web application security status and audit every measure, tool, or process that’s already in place.

To find out what aspects the perfect modern, cloud-based vulnerability management platform should cover, you will need to ask the following questions:

• What are your most critical assets? What needs to be secured? (Perhaps an SQL injection prevention)
• What kind of application do you operate? For example, do you want to scan an API, Single Page Application, or a multi-page website?
• Are you developing your own application, or is someone developing it for you?
• Which methods does your team use (e.g. Scrum etc.)?
• What does your CI/CD pipeline look like, and where can a tool be integrated?

The result of this part should be a project plan for your web application security integration that contains all necessary steps towards entirely securing your business.

After that, you should recheck your current processes to find out what’s already in place and what items of your checklist you can tick off, to begin with.

Maybe you have a tool integrated that just doesn’t cut it, or you are struggling with many different tools to secure your application. Have a look at your current testing process. Do you do manual penetration tests, and if yes, how many pentest are you doing per year? Whether or not these tests are made in-house or by an external agency, there is a major savings potential here – just by using an automated tool offering daily vulnerability scanning, for example.

During this process, you might have already solved a few of the problems you’re facing, or you just added some more to your project plan. But, unfortunately, configuration compliance, regulatory compliance, and even compliance reporting often get overlooked in a fast-paced development environment.

Once you compare your actual security measures to the target state, it’s time to find a powerful tool that closes the gap and lets you cover a vast range of vulnerabilities, and fill your security holes.

Prevention Guide

Big fat growing cybersecurity ebook

This ebook shows best practices and prevention techniques for keeping vulnerabilities away and securing your web apps.

Download

Find your solution

Time to find the perfect solution for you. After making a list of all relevant solutions, you will face these questions to narrow it down to your tool of choice:

• How many scans are you planning to make?
• How many projects do you have?
• How many software developers are in your team?
• Do you want to do invasive or non-invasive scans?
• Do you need a tailored and comprehensive vulnerability scanner, or is a standardized tool enough for you?
• Do you want to scan your application continuously (e.g. every day, every week, after every deployment)?
• Do you want to automate your web application security (Hint: You should!)
• What types of security vulnerabilities does it need to cover?
• Are there any remediation steps offered?

Ideally, your solution evaluation process also contains a phase in which you evaluate which tasks may be eliminated through the tool (or which new tasks are created). This should factor in your ROI calculation and the business case for a new tool as time savings. Moreover, you can use this list of tasks again during the implementation phase   to ensure you realize the time savings after the implementation. If you need more input on the business case, read our blog about the ROI of web application security.

Additionally, you should check out this article for tips on choosing the right software.

Get into the vulnerability assessment tool

Next up, you should plan the implementation of the application vulnerability tool you chose. Appoint a project leader (if you haven’t done that already) that supervises the process and ensures the plan is documented and monitored. I recommend someone involved with the issue for longer since the web application security project will never be truly finished.

Now, you will see whether you’ve done your audit and tool research properly. For some tools, the implementation will be easier than for others. Maybe there is additional support from your provider, or it just integrates perfectly into the tools you already use (e.g., creating tasks in JIRA, giving you Slack notifications, or sending out e-mail reports).

The implementation should be adjusted to how often and when you are deploying. Thus, it doesn’t harness getting to know the tool, you can find parts to automate processes and have your security status checked after every deployment to your test system.

In general, you should test the tool as much as you can and try every function available. Maybe you can find parts where you can improve your current processes and level of security or get back to your provider to adjust the solution to your needs. You chose a vulnerability assessment tool with a free trial in the best case, where you can try out as much as possible without any strings attached.

The final step at this stage is to review the initial business case. Now you know the tool by heart, can the numbers you defined before be achieved? Or are there savings areas that you didn’t take into account before?

Carry out the work

As described in the solution research phase, you now have your list of eliminated tasks. Your next step is to create an action plan on what needs to be done to realize the defined positive ROI as soon as possible.

Here are some questions to start the action plan:

• What new tasks does the solution create? – Define who will do what job needs to be done after vulnerabilities are found.
• What tasks will be eliminated? – Maybe you have an internal penetration tester that can focus more time teaching secure coding practices to fellow developers instead of manual testing to identify potential vulnerabilities.
• Who manages the application? the application? – You need a Key User who knows the application in and out and can guide all other users. The Key User should also delegate new tasks that aren’t defined yet.
• Who does the remediation – You could have a few developers remediating certain types of potential vulnerabilities to make them experts on these vulnerabilities, or you could have every developer correcting their own code to make them better at secure programming.
• How will the knowledge be transferred to future projects? – The project leader or key user should manage a knowledge base that your developers can use in their daily work. In the best case, such information is already provided with the tool.
• What if a breach still happens? – How will you quickly solve the problem and be open to your users and the public about it? How will you get back to your feet and regain your customers’ trust?

Read this article about data breaches for answers to these questions.

Our main suggestion for the work with a web application security solution: Learn from it! Most tools provide valuable feedback for developers that they can use to better secure coding practices for their future projects. Maybe you can even get a workshop for these practices from your solution provider!

It would be best to use your new investment to tell your users about it. Make your enhanced security a part of your USP, and people will have more trust in your application than ever.

Monitor the outcome

After your new tool is implemented and everybody is working towards a more secure web application, the project should still not be finished. The project leader should keep his role and monitor whether or not the integration was successful. This also includes checking against the earlier defined business case and estimated savings.

The monitoring of your web application’s security status could be something that is provided by the tool. For example, some vulnerability assessment tools have a well-designed dashboard that aggregates information about the vulnerabilities found. You can maybe opt-in for an e-mail report sent to you after every scan of your application.

This information should determine how the new solution enhanced your security status and development team performance.

A few indicators of that enhancement could be changes in the following:

• Average criticality of your vulnerabilities
• Average time to fix a vulnerability
• Total time spent on security issues within your company
• The number of new vulnerabilities arising (per week, deployment, etc.)

Or generally speaking: How did your development improve their secure coding practices?

You will see that implementing an automated web application security tool can give you a competitive advantage if it is well carried out.

At first sight, the integration of a sufficient, comprehensive vulnerability scanner might look overwhelming and can lead to a lot of confusion. Splitting the different parts of the process up and planning it out can make things more efficient and may lead you to find the solution that’s best for your company.

You haven’t thought about your vulnerability assessment at all?!

Do a quick scan of your website to start it off.