Why Web Application Security Assessments Should Move Up Your To-Do List

Why is it important to get web application security assessments in addition to your annual penetration testing? Recent data shows a rising number of attackers are targeting the web application layer. The 2024 Verizon DBIR found that close to 1 in 10 data breaches were caused by a basic web app attack. With the dramatic increase in web application (web app) use, your organization may be using hundreds of web applications that may have security gaps. So, how does a web application security assessment reduce your risk, and what should you expect from these tests? LMG Security’s CPO Dan Featherman shares the ins and outs of web application security assessments in this Q & A.

Question: What are web application security assessments and how are they different from a penetration test?

Answer: While penetration testing is a key component of cybersecurity, it is only part of the solution. External pen tests generally only extend to the surface level with web applications. Most organizations request network penetration tests and pen testers are not given credentials to web apps, so web application security assessments are generally not part of a standard pen test.

Our team likes to say that if the standard network penetration test is a mile wide and an inch deep, web application security assessments are an inch wide and a mile deep. With a web app assessment, the scope has a very narrow focus. Testers evaluate multiple levels of credentials and permissions. Web application security assessments dive deep into the application and API. They frequently reveal valuable data about security gaps in applications that can disclose PII, or vulnerabilities that can be used as a pivot point for hackers to enter a network. Our experienced team can pen test almost anything. While many clients don’t request the web app assessment individually or as part of their pen test, they should. With the rise in attacks at the web application level, we recommend that all customers using any type of web app should have a web application security assessment. You can also watch this video case study on how a web app assessment found unknown security gaps.

Question: When is the best time to get a web application security assessment?

Answer: Generally, most organizations have web application security assessments annually, or when there is a major change. Our team recommends a new test if any of the following occur:

• Creation of a new web app
• Major functionality changes to existing apps
• New integrations are added to existing apps
• When you implement Multi-Factor Authentication (MFA)
• You are one update cycle after a web application security test in which vulnerabilities are found – retesting is key to ensuring all gaps were successfully remediated

Web application security assessments are helpful both pre- and post-production. Many web applications use common libraries with underlying components that could have exploitable vulnerabilities like the infamous Log4j exploits (read our blog or watch our video for more details). Unfortunately, many web apps don’t get patched like traditional systems, and periodic web application security testing can help organizations uncover these security gaps.

Question: What common vulnerabilities do you find in these assessments?

Answer: The LMG Security team has done many, many hundreds of web application security assessments. Some concerning things that organizations may discover are cloud misconfigurations, leaked admin credentials, authentication issues, and exploitable API vulnerabilities. With web application use increasing over the last 5 years, our team feels these tests simply don’t get the attention they deserve. Web application security assessments provide a deeper dive into applications and APIs that can unearth critical security vulnerabilities. Here are a few examples:

• An authentication error can enable hackers to bypass authentication and extract Personally Identifiable Information (PII), Confidential Information (CI), and more.
• A simple misconfiguration could result in the compromise of administrative credentials or keys that enable hackers to access data or systems.
• With the proliferation of IoT and “smart” everything, you may have web applications hanging out on the Internet that you don’t even know about. We’ve seen everything from building HVAC systems, unsecured surveillance systems, and APIs that returned healthcare data. The compromise of these applications could lead to hackers holding that physical facility, system, application, or even the organization’s data hostage.

The most common vulnerabilities are information disclosures, header and cookie misconfigurations, username enumeration, and lack of MFA, as well as cross-site scripting, cross-site resource sharing, and cross-site request forgery.

Question: What is LMG Security’s Web Application Security Assessment Methodology?

Answer: We created our web application security assessment program to evaluate all the OWASP Top 10 Web Application Security Risks. These are the core foundational components of our testing, and we use the annual OWASP vulnerability findings extensively. We test for 9 risks directly, and our team communicates with your internal team about flagging and alerting, the 10th item. Since flagging and alerting occurs during the test, you can use this information to evaluate whether you have sufficient logging and monitoring. If you have any questions, we are here to help! Finally, we generally prefer to test in QA if QA and production are separated. This helps to avoid unintended denial-of-service. Keep in mind that we can customize any of our testing services to meet your unique needs.

For more detailed information on web application security assessments, contact our friendly service team.