Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe Now Start Free
Blog Home  »  Web Application Security   »   DevSecOps : How WAF and Application Security Scan fits in
Managed WAF

DevSecOps : How WAF and Application Security Scan fits in

Posted DateAugust 16, 2019
Author Bio
Posted Time 3   min Read

While organizations are increasingly aware of security and the impact unpatched vulnerabilities could have on their business, it is still nascent in many organizations – even those with mature development processes. Automated tests are essential in the Agile, CI/CD world where deployment cadence and confidence in the deployment depends a lot on the quality of tests. In this context, how good is your automated application security testing?

Security Risk Assessment: Scanning & PT

Dynamic scanning tools, like Web Application Scanners (WAS), are used during the QA, staging/pre-deployment, and production environments. Web Application Scanner will probe for vulnerabilities from the outside like an attacker would and should be an indispensable part of the DevSecOps (DevOps with security awareness) process. Manual pen testing will detect issues in business logic and complex workflows that automated tools struggle with and needs to be done to ensure maximum coverage.

Some of the essential features for a WAS to be part of DevSecops other than the obvious ones like coverage, depth, etc. are

  • Consistency of findings
  • Run a subset of tests or scans. This is useful for cases where organizations need to focus on the most critical issues, a ‘’bug bash” scenario, and for quicker results if required.
  • Verify fixes by rerunning very specific tests (Security regression)
  • Automate much of the manual pen testing results
  • Integrate with the tooling that already exists.

App Security Risk Protection/Mitigation: WAF

DevSecOps also deals with mitigations viz. how to protect against vulnerabilities found in production/post-deployment. This is done through security solutions at various points in the path from the user to the application like edge firewalls, Web Application Firewalls (WAF), or agents in the application. Web Application Firewalls inspect and filter layer 7 (HTTPS) traffic to protect web applications from malicious traffic including the vulnerabilities reported by WAS and DDOS attacks.

WAF not only gives breathing space for fixing known vulnerabilities found by scanning and other tests, but it also protects against vulnerabilities that are found only by attackers in production. For Organizations with multiple applications, the vulnerability will likely exist in many other sister sites. Scrambling to fix, test, and deploy under the gun is not pleasant.

WAF will detect and block attacks from the edge and, even if pre-existing protection is not available, custom protection once is written can protect all the sites behind WAF. In fact, integrating the WAS results with WAF allows speedy, automatable, targeted protection for known issues.

The above also illustrates why security testing only in the development lifecycle is not sufficient; new vulnerabilities and ways to exploit are being discovered all the time. This could even be because of a vulnerability in third-party components/frameworks that the application uses eg. the recent Apache Struts vulnerabilities.

A segue

A pet peeve – I read a few blogs about dynamic languages and memory leaks, memory bloat where they talked about how an app only needs to be stable for the longest deployment window – which is shrinking, btw!  Of course, I can see it from the business pov since these issues are typically very onerous and time-consuming to chase down and fix, and the temporary solution of increasing resources works. All of us have taken calls like this at various times but makes you wonder how many other such decisions are taken in projects under time pressure?

Finally

Organizations that are just starting down the automated testing path are probably getting QA to do some security testing. Even here there is immense value in running automated scanners periodically and having server protection like WAF, with the added bonus of the solution being ready to become part of automated testing and CI when the organization is ready.

Continuous deployment with security is where everyone is moving towards, and Indusface WAS and WAF can help you on that journey.

Stay tuned for more relevant and interesting security updates. Follow Indusface on FacebookTwitter, and LinkedIn

Protect Your Web Apps & APIS - Sign-up For 14-Day Free Trial

Karthik Krishnamoorthy

Karthik Krishnamoorthy is a senior software professional with 28 years of experience in leadership and individual contributor roles in software development and security. He is currently the Chief Technology Officer at Indusface, where he is responsible for the company's technology strategy and product development. Previously, as Chief Architect, Karthik built the cutting edge, intelligent, Indusface web application scanning solution. Prior to joining Indusface, Karthik was a Datacenter Software Architect at McAfee (Intel Security), and a Storage Security Software Architect at Intel Corporation, in the endpoint storage security team developing security technology in the Windows kernel mode storage driver. Before that, Karthik was the Director of Deep Security Labs at Trend Micro, where he led the Vulnerability Research team for the Deep Security product line, a Host-Based Intrusion Prevention System (HIPS). Karthik started his career as a Senior Software Developer at various companies in Ottawa, Canada including Cognos, Entrust, Bigwords and Corel He holds a Master of Computer Science degree from Savitribai Phule Pune University and a Bachelor of Computer Science degree from Fergusson College. He also has various certifications like in machine learning from Coursera, AWS, etc. from 2014.

Share Article:

Tags:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Compliance Regulations and Application security
How do Compliance Regulations Drive Application Security?

Explore how compliance standards like PCI DSS, SOC 2, and GDPR enhance application security by enforcing specific requirements to protect sensitive data.

Read More
Application Security Checklist
The Comprehensive Web Application Security Checklist [with 15 Best Practices]

Secure your web apps effectively with this comprehensive web application security checklist. Mitigate all risks and bolster your application’s defense.

Read More
Cloud AppSec Measures
10 Ways to Implement AppSec Measures for Your Cloud Ecosystem

Secure your cloud ecosystem with these 10 AppSec measures. Learn how to implement robust security measures to protect your data

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!