The document discusses strategies for scaling up and automating web application security, emphasizing the need for process introduction and effective vulnerability identification. It highlights the importance of automation in detecting vulnerabilities while also addressing the challenges such as false positives and the necessity for human verification. The conclusion reinforces that securing numerous web applications is feasible through the right tools and understanding the limitations of automation.

1. Ferruh Mavituna, CEO
Scaling-Up &
Automating Web
Application Security
Netsparker

2. Scaling-Up and Automating Web Application Security
Discover

3. Scaling-Up and Automating Web Application Security
• Public Websites
• Mission Critical
• Temporary (i.e. short-term marketing websites)
• Managed by 3rd party
• Internal Websites
• Mission Critical
• Developed in house
• Developed by a 3rd party
• Hardware Management Interfaces
• Staging Websites
• Actively Developed
• 3rd party & will be deployed
Discover & Prioritize

4. Scaling-Up and Automating Web Application Security
• Process
• Internal asset management
• Introducing a process & policy
• Automated Discovery
• Effectively smart “port scanning”
Discover & Prioritize

5. Scaling-Up and Automating Web Application Security
Identify

6. Scaling-Up and Automating Web Application Security
• Configuration Issues
• TLS, Web Server, Unnecessary features…
• Known Vulnerabilities and Out-of-date Dependencies
• Known vulnerabilities in known applications and dependencies
• Out-of-date JS libraries, modules, dependencies, frameworks…
• Unknown Vulnerabilities (zero-days)
• SQL Injection, CSRF, XSS, LFI, RFI and similar vulnerabilities that are not known yet
• Lack of Security Best Practice and Proactive Measures
• CSP, HSTS, Information Disclosure, Insecure Endpoints, Leaking data to 3rd party resources
etc.
Identify Vulnerabilities

7. Scaling-Up and Automating Web Application Security
Automate

8. Scaling-Up and Automating Web Application Security
• Automation excels at
• Scaling
• Being consistent
• Enforcing checks
• Finding majority of vulnerabilities
• Eliminating human-errors on repeated checks
• Limitations of automation
• Logical issues
• Extremely design specific & platform specific issues
• Discovering all the flows & processes in websites
Automation

9. Scaling-Up and Automating Web Application Security
“Automate what can
be automated”

10. Scaling-Up and Automating Web Application Security
Automation
Challenges

11. Scaling-Up and Automating Web Application Security
• Authenticated Scans
• URL Rewrite
• Custom 404 Pages
• Form Values
Pre-scan Challenges

12. Scaling-Up and Automating Web Application Security
• False Positive
• Correlating Results
• Hot-patching vulnerabilities in WAF level
Post-scan Challenges

13. Scaling-Up and Automating Web Application Security
• How many of the identified vulnerabilities are real?
• What’s the real risk?
• How long would it take to review all vulnerabilities to see which are
False Positives?
• What kind of technical expertise do you need to accomplish this?
10,000 Issues have been identified, Now what?

14. Scaling-Up and Automating Web Application Security
“Automation without
accuracy cannot scale”

15. Scaling-Up and Automating Web Application Security
• How is it done manually?
• Can it be automated?
Elimination of False Positives

16. Scaling-Up and Automating Web Application Security
“If it’s exploitable it
cannot be a false
positive”

17. Scaling-Up and Automating Web Application Security
• Securing thousands of web applications is possible
• Automate what can be automated
• Use the right tools for the job
• Understand what automation can and cannot do
• Plan for the long term
• Challenge the norm
Conclusion