Web应用程序安全测试

随着 2018年Verizon数据泄露报告 显示, web applications are a popular attack target in confirmed data breaches, 和 in some industries up to 41% of data breaches are web application-related. The report also found that about half of web application-related breaches took several months or longer for security teams to discover. The longer an attacker has access to systems, the more damage they can cause. Attackers must be discovered 和 removed as quickly as possible, 但这往往说起来容易做起来难.

随着攻击者越来越多地瞄准web应用程序, 他们能够改进和测试他们的方法, 增加他们的复杂性. Even if a company follows best practices to protect itself against common web application attacks, 这可能还不够. Breaking into web applications can be lucrative for criminals—they are motivated to use the latest 和 greatest in attack methods 和 tools, 和 they may have the resources of organized crime behind them. This kind of muscle can be hard for a business to combat alone. 

Web applications can also be so complex that they confuse systems designed to automatically detect an attacker's intrusion. That is why common tools like intrusion detection alone aren’t sufficient; Web应用程序安全性 testing can fill the gaps.

Web应用程序安全测试的类型

动态应用安全测试(DAST): A DAST approach involves looking for vulnerabilities in a web app that an attacker could try to exploit. This testing method works to find which vulnerabilities an attacker could target 和 how they could break into the system from the outside. Dynamic application security testing tools don’t require access to the application's original source code, so testing with DAST can be done quickly 和 frequently.

静态应用安全测试(SAST): SAST采用一种由内而外的方法, 意思是不像过去, it looks for vulnerabilities in the web application's source code. Since it requires access to the application's source code, SAST can offer a snapshot in real time of the web application's security.

应用渗透测试: 应用程序 渗透测试 涉及到人的因素. A security professional will try to imitate how an attacker might break into a web app using both their personal security know-how 和 a variety of 渗透测试 tools to find exploitable flaws. You can also outsource web application 渗透测试 services to a third party if you do not have the resources in-house. 

Web应用程序安全测试的3个技巧

1) If a system is business-critical, it should be tested often: Any system that stores customer data—including credit card numbers, 个人身份信息(PII), or any other sensitive information—should be tested for security vulnerabilities; in fact, it's often a requirement of many government- or industry-m和ated compliance guidelines. Keep this in mind when looking at the potential scope of Web应用程序安全性 testing in your organization.

2) The earlier security is tested in the software development lifecycle, the better: You do not want to leave security testing as a last step in software development—inevitably, vulnerabilities will be found 和 this can throw a big wrench into the development 和 maintenance processes. 尽早将安全性引入流程 SDLC, preferably with the full involvement of your development operation (DevOps) team, 简化响应, 最小化风险, 并尽量减少花费在补救上的任何成本或时间.

3) Keep development teams on track by prioritizing remediation 和 bug fixes: The output of Web应用程序安全性 testing will often be a list of items that development will need to address at some point. Security calls them vulnerabilities, but development calls them bugs. The key is to not simply drop a list of these issues into a DevOps team’s lap; instead, be sure to prioritize the vulnerabilities 和 fully integrate with the bug tracking system in place, 以便最大限度地缩短补救时间.

Web应用程序安全性比以往任何时候都更加重要. 通过实现 应用程序安全测试程序, businesses can significantly reduce their risk 和 help keep their systems safe from attackers. 

阅读更多关于Web应用程序安全的信息

Learn about Rapid7's Web应用程序安全 Product

应用程序安全:来自博客的最新消息