The rush of custom applications to the cloud has changed more than just the platforms and threat environments of in-house developed software. Increased exposure has raised the stakes and made more organizations willing to test and remediate during development -- a la DevOps. That doesn't do anything to address the thousands of apps already online and potentially vulnerable, however.
Attacks on web apps were responsible for 41% of confirmed data breaches during 2015, according to the 2016 Verizon DBIR. In the financial services sector, web app attacks rose from 31% of the total number of successful attacks to 81% highlighting, the report said, the increasingly large-scale, commercial criminal motivation behind the attacks. Modern scanners, with up-to-date lists of XSS, SQL injection and other exploits, are designed to identify problems, show the specifics and the location to human operators. By testing for known or likely vulnerabilities in web apps -- and scanning a large number of them in a relatively short time -- modern web scanners are able to highlight areas likely to be vulnerable to exploitation, demonstrate the potential flaw with copies of the actual weak points and demonstrate their results by auto-testing suspected vulnerabilities. Their speed and automation can also make them a valuable part of a multilayer vulnerability scanning and monitoring program.
Click Here to view the associated whitepaper written by SANS Analyst and network security expert Barbara Filkins.