So you’ve read the reports outlining how important it is for developers and security teams to work together to build web applications quickly and securely, you’ve scoured the web and have researched the importance of building a web application program at your organization, perhaps even watched some videos talking about the evolution of web applications and how it impacts your security program. Now you feel ready to start scanning your organization’s web applications to find out what application security vulnerabilities may be leaving your organization exposed to attack. But first, you’ve got to give the development or IT operations teams a heads up. Unsurprisingly, they have some concerns:
- Will the scan take down the application?
- How will users in the application be affected?
- How long is the scan going to take?
As with many areas of information security, web application security testing often forces teams to balance good security with potentially negative impacts to the business. Scanning your production web apps regularly is important to ensuring you stay on top of your application risk, but not if that means your users and customers can’t access the application, or experience slowdowns when those scans are running.
Ideally, applications would be tested for security bugs during development and pre-production and subsequently released bug-free, but production application scanning has its place. Don’t wait to squash the beef—here are some tips to avoid any heated showdowns with development and operations:
- Sit down with the development or IT operations team (whoever monitors and maintains the production application) and take them through your plans: what you’re looking to accomplish, why it’s important, and what tools you plan to use. Be prepared to answer questions like those we posed earlier in this post.
- Coordinate with development and/or operations on timing scans to coincide with maintenance windows (when fewer users are active).
- Use blackout periods in your application scanner to ensure no scans are running during periods of high activity on the application. This will also give your Dev/Ops team some additional peace of mind.
- Consider how the different applications (and the operating systems and platforms they sit on top of) will react to different levels of scanning. With modern application scanning tools, you have the ability to create different scan profiles for different applications, or even create separate scans for high traffic periods; you could choose to just crawl the application rather than crawling and attacking it, for instance. Or, maybe restrict the scan to look for a very specific issue like SQL injection.
- Speed up scans by splitting the application up into multiple target areas, and scan them in parallel with multiple scanning engines.
Ultimately, great application security is a team effort that requires participation from and clear communication between security, development, and operations teams. Also, investing in the right application scanner with robust scheduling and scan configuration options will give you more options to leverage when negotiating your security testing plans with development.
Start scanning your production application safely today with a free, unrestricted 30-day trial of InsightAppSec.