IT security teams in global enterprises face significant challenges in application security scanning that create the need for application scanners to deliver a scalable solution that is capable of assessing today’s applications. At NT OBJECTives, most of the organizations we talk to and work with are some of the largest organizations in the world. They are dealing with tremendous challenges from numerous applications and limited resources to ever changing technology. Let’s examine the three key challenges many of our customers face.
1. Complex Applications, New Technologies
One of the primary challenges in application security testing today is the complexity of modern applications.
“The surface of attacks targeting applications and data has expanded from Web into mobile and cloud systems. Rapid adoption of detection and protection concepts and technologies is critical for all enterprises.”
Section from Gartner other report on market state
Hype Cycle for Application Security 2013, July 25, 2013
Today’s applications are written in different technologies and those technologies are constantly changing and evolving. In the early 2000’s, most applications were simple HTML applications. Now with Rich Internet Applications (RIA’s), mobile and cloud applications, we have a host of new technologies used in applications. These technologies include everything from AJAX and Google Web Toolkit to REST and JSON.
Most application scanners have fallen behind the innovation curve and can no longer automatically or accurately assess applications that include these technologies, leaving enterprises vulnerable.
Scanners were historically based on their ability to crawl an application in order to understand it and they were able to crawl HTML, but this is no longer the case. A new architecture and approach is required for these newer technologies. From what I can tell, NTOSpider is the only that has been modernized to address today’s applications. Be sure to examine your application security scanner carefully to determine if it’s covering the newer technologies. To read more about dynamic application security tool coverage of new technologies, please check out our white paper, “Is Your Scanner Like the Emperors New Clothes?”.
2. Enterprise Scalability & Automation
Compounding this issue of the complexity of applications is the sheer volume of them. Today’s enterprise security teams are faced with the enormous challenge of securing hundreds or thousands of applications, built in a variety of technologies with small security teams.
In order to effectively secure that many applications, security teams require a high-level of sophisticated automation. We often refer to the breadth of scanner coverage – is it covering this AJAX corner of the application, or that complex business workflow.
Considering Application Security Scanner Coverage
Application scanner coverage is the percentage of an application that a scanner can automatically understand and test. As an application scanner’s coverage of applications increases, costs for scanning all of the organizations application’s decreases. In order to achieve maximum scalability, organizations should use maximum automation. Maximum automation is derived from maximum application coverage by a scanner. There aren’t any application scanners that can scan 100% of a complex application because they will always require some testing by hand for certain business and application logic functions. However, scanners should be able to achieve maximum coverage of a complex application. Roughly 80% of a security test, even on a complex application, is capable of being automated.
For this discussion, I’m using a sample organization that has 80 standard applications and 20 complex applications. The potential cost savings of using an application scanner with maximum coverage available (80%) would be about $228,000 or 1520 man hours per scan cycle. Many organizations do quarterly cycles, so this can result in a savings of approximately $1m per year. The following tables and graphs demonstrate the business case for maximum automation.
Cost Savings Driven by a Highly Automated Scanner for 20 Complex Applications
The table below details the time and cost savings realized with improved automation (scanner coverage) for one cycle of testing for the 20 complex applications. Using this rough estimation technique, you can see that an organization can save $80,000 in one testing cycle where 20 complex applications are tested one time.
For the purposes of this example, I am estimating the cost per pen test hour at $150 and estimating the man hours required to complete a scan based on the coverage the application scanner can provide and the complexity of the application. The estimated total man hours required for testing the applications is multiplied by the $150 to get the cost for the apps for each row.
The following table demonstrates how total security testing costs decrease for 20 complex applications as the application security scanner’s % coverage of the application increases.
Note: The column called, “Man hours required to complete a scan” refers to the total number of human hours required to assess an application including: configuration time, pen testing time, vulnerability review and validation time, etc.
So, if we look at the same cost savings for 20 complex applications in a graph, we can see that as scanner automation improves, costs decrease.
Cost Savings Driven by a Highly Automated Scanner for 80 Standard Applications
So, does the same logic hold true for more standard applications that are less complex? This table details the time and cost savings realized with improved automation for 80 standard applications over one test cycle. Again, using this rough estimation technique an organization can save $72,000 in one testing cycle where 80 standard applications are tested one time.
Again, looking at it in a graph format, you can see that as scanner automation improves, costs for testing 80 standard applications decreases. With 50% coverage, the applications will cost around $120,000 to test, but with 90% coverage, the costs decrease to less than $20,000.
Cost Savings Driven by a Highly Automated Scanner for 100 Mixed Complexity Applications
So, when you look at all 100 applications of mixed complexity, again we see that as scanner coverage increases, man hours and therefore overall costs, also decrease.
And the graph demonstrates that an organization can save almost $200,000 by testing all 100 of their applications one time with maximum automation as opposed to 50%.
3. Scalability with Cost Control
A third major issue is that most of these organizations are building world class application security programs to address thousands of web and mobile applications with limited financial and human resources in a race against ever increasing threats. This challenge requires them to find highly automated and distributed application scanning solutions while effectively using resources to control costs.
But controlling costs is difficult. The smartest solution is one that combines the most accurate and automated web application vulnerability scanning with the benefits of elastic computing in the cloud to provide a sophisticated and scalable solution that effectively controls costs while conducting automatic vulnerability detection for even the most complex applications. Our scalable, elastic solution leverages NTOEnterprise and enables the largest global enterprises to provide their own application security assessment shared services to their customers or different divisions around the world.
A highly sophisticated and automated solution combined with elastic computing enables global organizations to easily expand and contract resources based on their scanning demand.
At NT OBJECTives, we have always strived to maximize automation. We find that many of the largest organizations in the world choose us because the complexity of their application security program necessitates sophisticated automation, maximum application coverage and scalability. For more information about how we solve these problems, please visit us at www.ntobjectives.com or request that we contact you by filling out this short form.