NEW TECH: A better way to secure agile software — integrate app scanning, pen testing into WAF

The amazing array of digital services we so blithely access on our smartphones wouldn’t exist without agile software development.

Related: ‘Business logic’ hacks on the rise

Consider that we began this century relying on the legacy “waterfall” software development process. This method required a linear plan, moving in one direction, that culminated in a beta deliverable by a hard and fast deadline. To set this deadline required a long, often tortured planning cycle. And this invariably led to the delivery of a bug-ridden version 1.0, if not outright project failure.

By contrast, the agile approach, aka DevOps, thrives on uncertainty. DevOps expects changes as part of being responsive to end users. Agile software development is all about failing fast — discovering flaws quickly and making changes on the fly. Agile has given us Netflix, Twitter, Uber, TikTok and much more.

Of course the flip side is that all of this speed and agility has opened up endless fresh attack vectors – particularly at the web application layer of digital commerce. “The heart of any business is its applications,” says Venky Sundar, founder and chief marketing officer of Indusface. “And application-level attacks have come to represent the easiest target available to hackers.”

Based in Bengalura, India, Indusface helps its customers defend their applications with a portfolio of services that work in concert with its flagship web application firewall (WAF,) a technology that has been around for about 15 years. WAFs have become a table stakes; any company with a public-facing website should by now have a WAF. Fundamentally, WAFs monitor all of the  HTTP traffic hitting a company’s web servers and block known malicious traffic, such as the threats listed in the OWASP Top 10 application level attacks

A few of the big-name vendors in the WAF space include Imperva, Cloudflare, Akamai and Barracuda and even Amazon Web Services offers a WAF. Indusface has differentiated itself by going well beyond providing standard WAF blacklisting services. It also provides web application scanning and a web application penetration services that work best in conjunction with its core WAF service, Sundar told me. Indusface seeks to enable its customers to account for vulnerabilities not just in the live environment, but also when software is being developed and tested.

“Nowadays changes are being made directly all throughout (software) production,” he says. “Continuous development and continuous integration are part of the DevOps and DevSecOps development cycles —  and security has to be an integral aspect of that.”

I had a wide-ranging discussion with Sundar about the moving forward implications of web application vulnerabilities. For a drill down, please give the accompanying podcast a listen. Here are excerpts edited for clarity and length.

LW: What should companies understand about the cyber threat landscape?

Sundar: One of the easiest ways to target a business is through an application-level attack and there are plenty of folks out there inclined to do these attacks. Hackers are motivated by the same thing as legitimate businesses; they want to make money. By attacking a web application they’re able to steal data with simple exploits, without leaving any trace, and then they sell the information for money. There are also hackers motivated by political ideology or, sometimes, revenge, such as a disgruntled employee or customer. The technology is available for companies to get this exposure under control and stay one step ahead of the attackers by making security an integral part of their business applications.

LW:  SQL injection endures as a major exposure. Why has this remained so?

Sundar: SQL injection is probably one of the most common, easiest and the most damaging type of attacks for most businesses. In an ideal world, we’d be done with this problem forever. But every application is different. Every application has its own unique set of parameters. Essentially, you can reduce all types of attacks down to parameter manipulation. As new applications get developed there is always going to be some loophole; input validation just cannot be done 100 percent perfectly, and those weakness will always be targeted and exploited. This means if you do proper data validation, and determine what is an acceptable set of user input, that can make a big difference.

LW: Broken authentication and simple misconfigurations also keep turning up as widespread types of exposures; are these the  unintended consequences of agile development?

Sundar: Broken authentication and misconfigurations are just couple of the common security exposures that are turning up. One way to address these exposures is to do regular business logic security assessments and manual penetration testing; this should be done by experts who understand the application context and are skilled enough to extend generic test cases and do deeper assessments.

LW: How can companies start getting a handle on the exposures they might be creating as they increase their reliance on agile software development?

Sundar: If you want to own a car that can go very fast, then you should also take steps to make sure the tires won’t blow out and that the brakes will work well, when needed. These are smart safety measures that enable you to go fast in a safe manner. When it comes to security, you should start by assuming that any application intended to be consumed over the Internet will have risks. Then get visibility on these risks and begin mitigating the critical ones. Don’t try to do all of this by yourself. In most cases, it will be more cost effective to outsource to specialist. This can save manhours and help you reduce risk more effectively.

LW: What are the main things companies should take into consideration when shopping for a WAF?

Sundar: At a high level an application firewall should be able to distinguish between legitimate traffic and illegitimate traffic and then enact dynamic trust policies, to either block the user or throw in some additional authentication challenges, all in real time. Cloud-based WAFs are better suited for absorbing Distributed Denial of Service (DDoS) attacks without any requiring any infrastructure overhead from the customer, and a managed WAF service brings to bear the expertise of security experts focusing 24 by 7 on vulnerabilities and attacks.

LW: Anything else?

Sundar: Security can enhance agility. Effective security can enable digital transformation initiatives to happen faster and hence increases the efficiencies of the business. Hiring experts and specifically managed services included as part of the product offering can be a very cost-effective way to mitigate security risks. Budgets are always part of the challenge. If you have to prioritize on mitigating overall cybersecurity risks, it makes a lot of sense to focus on application security first. Applications are the heart of any business and if you secure your applications you secure your business.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: