Web Application Security
How many externally facing Web Applications do you have ? How do you know ?
What about internal ? Again how do you know?
Whenever we have engaged with a company to answer that question the answer is almost invariably far larger than anyone suspected. Who owns those additional Web Applications and what are they doing ?
If you’re in the fortunate position of having this all checked for you last week, then what about this week? Or next ?
By their definition Web Applications are there to provide a portal to information for their customers. You need to ensure that only approved Applications are live and that they are not giving away your Company Secrets by poor configuration or classic programming errors which give a malicious actor access.
To understand your Web Application deployment and to have confidence that they are not giving out more info than they should you need an automated and scalable solution. Qualys’ Web Application Security suite provides exactly that and can be configured with confidence with Cog Security’s expertise.
But what if you already use Penetration Test companies ? You don’t need this service ? Well it’s likely that you do. Penetration Test companies do a great job on focusing on a single Web Application and using all their tools and experience to discover and report on issues within that Application. They are not normally tasked with the other hundred (or more) applications which are considered less of a “problem”. It is likely that one of those other Applications will be targeted by a malicious actor and used to exfiltrate information or deny use of the service. For this reason you need to understand the security posture of every application you have and where they are.
This presents a resource issue. Who has time to maintain this kind of focus on Web Application Security ? There is one answer. Automation. Use the automation of Qualys’ Web Application Scanning service to automatically find and prioritise Web Application and their Security Posture. Each scanned Application is exercised in real time to expose inherent vulnerabilities. In addition use the built-in Reporting to understand what needs fixing in order to remove the vulnerability.
If you also use Qualys’ Vulnerability Management product then this can find your Web Applications without any additional scanning. Ask Cog Security for more information on how to do this.