• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

TechLila

Bleeding Edge, Always

  • Home
  • About
  • Contact
  • Deals and Offers
Techlila Logo
Share
Tweet
Share
Pin
2 Shares
Virtual Reality vs Augmented Reality
Up Next

Virtual Reality vs Augmented Reality - Let's Dig Deeper!

Testing

TechLila Internet

Testing Isn’t Enough: The Need for RASP

Avatar of John Hannah John Hannah
Last updated on: June 5, 2020

Many organizations are relying on legacy vulnerability management practices to protect their applications. In many cases, the belief is that white box testing, with its ability to scan an application’s source code for known vulnerabilities, is enough to ensure that production code is free of exploitable bugs.

However, vulnerability testing, whether white box, black box, or gray box, has its limitations. As a result, the average web application in production use contains a number of vulnerabilities that put the organization and its customers at risk. A new approach to vulnerability management, which augments vulnerability testing in development with real-time protection in production, is necessary to secure web applications against exploitation.

The Limitations of Vulnerability Testing

Website security is increasingly a priority for applications. In fact, many organizations are talking about transitioning from DevOps to DevSecOps practices. A crucial part of this process is integrating security testing into development practices. In theory, this integration would decrease the number of vulnerabilities in applications that reach production.

Despite these efforts to add testing to developers’ workflows, vulnerabilities are still slipping through the cracks. In fact, in 2019, the average web application in production use contained 22 vulnerabilities.

Not all of these missed vulnerabilities are caused by a failure to embed good security testing in an organization’s development processes. Traditional application security practices, including white box testing, have their limitations.

Software Complexity

One of the biggest contributors to missed vulnerabilities in web applications is the complexity of the application code. The average web application includes approximately 1,000 third-party libraries and dependencies. These dependencies pose a significant security risk to an application since it inherits the vulnerabilities of any functions that it imports from third-party libraries.

This use of third-party code becomes a serious problem if an organization is relying upon white box testing for vulnerability detection. In many cases, these tests are focused only on the code developed in-house, not the external libraries that the code depends upon. A vulnerability in third-party code may be invisible to the testing team but leave the application open to exploitation.

These third-party vulnerabilities can be addressed (to an extent) by applying all available security patches and updates for third-party code used within an application. However, the sheer number of external dependencies used by the average web application makes it unlikely that a development team has complete visibility into its applications’ dependency trees, let alone the patch status of each library.

Developer Knowledge

Exacerbating the challenges of vulnerability management in web applications is the fact that most developers do not receive specialized security training. In general, training for developers is focused on learning the languages, platforms, processes and tools needed to create the applications that their organization requires rather than how to secure these applications.

This lack of developer training makes it extremely difficult for developers to identify and correct vulnerabilities within the code that they create. If a developer is responsible for writing test cases, the only security test cases that exist are the ones that they know how to write or that are available by default in the organization’s application security tools (if any exist). As a result, the same types of vulnerabilities (cross-site scripting, buffer overflows, etc.) continue to appear in web applications, making them easy for cybercriminals to exploit.

Velocity of Code Updates

In the past, many organizations used legacy code development practices. Processes like Waterfall built applications as a single, monolithic program. As a result, these applications had long development timelines and were infrequently updated. Now organizations are adopting modern development processes, such as Agile, Scrum, and DevOps. Under these processes, code is modularized, enabling pieces to be developed and updated more quickly. Some organizations that have adopted DevOps create new releases on a daily basis or even more quickly.

These rapid development cycles make it necessary to accelerate the pace of security testing as well. If an organization does not have mature DevSecOps practices in place, with robust and automated application security testing, it may be impossible to perform comprehensive security testing within these accelerated software release cycles. In most cases, when security and release dates are in conflict, it isn’t the release deadline that the development team sacrifices.

Managing Vulnerabilities in Production

Despite the best of intentions, most organizations are not prepared to embrace DevSecOps practices. These practices require integration and automation of robust application security testing into a development team’s continuous integration and testing workflow.

As a result, production code will contain vulnerabilities. Attempting to manage these vulnerabilities through legacy practices, such as manual patch creation and application, is an unscalable approach to security. Organizations are relying on ever-increasing numbers of applications – containing growing dependency lists – making it far too easy to overlook a critical vulnerability or update.

While attempting to correct vulnerabilities in development is important, organizations must also accept and prepare for the fact that production code will contain exploitable vulnerabilities. Runtime application self-protection (RASP) helps to address these issues by integrating security monitoring into a potentially vulnerable application.

If the inputs, outputs, or behavior of the application becomes anomalous, the RASP solution can take action to alert the security team of a potential attack or to block it altogether. This ability to perform “virtual patching” of an application based upon deep insight into its inner workings enables it to protect an application against exploitation of the vulnerabilities missed during testing.

Share
Tweet
Share
Pin
2 Shares

Disclosure: Content published on TechLila is reader-supported. We may receive a commission for purchases made through our affiliate links at no extra cost to you. Read our Disclaimer page to know more about our funding, editorial policies, and ways to support us.

Sharing is Caring

Share
Tweet
Share
Pin
2 Shares
Avatar of John Hannah

John Hannah

    John Hannah is a part-time blogger. He likes to travel a lot.

    Category

    • Internet

    Reader Interactions

    No Comments Logo

    Leave a comment

    Have something to say about this article? Add your comment and start the discussion.

    Add Your Comment Cancel reply

    Your email address will not be published. Required fields are marked *

    Primary Sidebar

    Popular

    How to Increase Broadband Speed on Windows

    10 Best Android Launchers of 2021

    Things to Do After Installing Windows 10 – Windows 10 Tips and Tricks

    Top 10 Search Engines You Can Use to Search the Web Privately

    55 Interesting Computer Facts That Will Blow Your Mind

    What to Look for When Buying a Laptop – A Laptop Buying Guide

    Fusion Drive Vs SSD – Things Nobody Tells you About Fusion vs SSD Storage

    Useful Tools

    • Grammarly – Free Grammar Checker
    • SEMrush – The Best SEO Tool Trusted by Experts
    • Setapp – One-stop subscription for Mac and iOS

    Trending Topics

    • Android
    • Internet
    • iPhone
    • Linux
    • Macintosh
    • Security
    • Social Media
    • Technology
    • Windows

    Worth Checking

    10 Best Sound Equalizer for Windows 10 (2022 Edition!)

    14 Best VLC Skins that are Highly Recommended and Free

    Footer Logo Footer Text Logo

    Footer

    About

    Hello and welcome to TechLila, the famous technology blog where you can find resourceful articles for mastering the basics and beyond.

    At TechLila, our main goal is to provide unique information, such as quality tips and tricks, tutorials, how-to guides on Windows, Macintosh, Linux, Android, iPhone, Security and a few miscellaneous sub-topics such as reviews.

    Links

    • About
    • Contact Us
    • Disclaimer
    • Privacy Policy
    • Terms

    Follow

    Custom Theme Using Genesis Framework

    Cloud hosting by Cloudways

    Language

    en English
    bg Българскиzh-CN 简体中文nl Nederlandsen Englishtl Filipinofr Françaisde Deutschid Bahasa Indonesiait Italianoja 日本語pl Polskipt Portuguêsro Românăru Русскийsr Српски језикes Españolsv Svenskatr Türkçeuk Українськаvi Tiếng Việt

    © Copyright  2012–2023 TechLila. All Rights Reserved.