Managed Security Service Providers (MSSPs) are a fantastic alternative for small and medium-sized businesses whose primary goals are to hire business-focused employees, not recruit teams of IT and security professionals. security which, although valuable for the security of the organization do not contribute to their core business. Outsourcing security services saves growing businesses from having to build internal teams from scratch, which is not only difficult due to a significant lack of cybersecurity skills, but also results in a specialized staff with very little to do on a regular basis.
However, cybersecurity is changing so rapidly that many MSSPs struggle to stay current. As a result, for example, many MSSPs do not include web application security as part of their services. This is mainly due to the rapid development of web technologies and the rapid migration to the cloud. Just a few years ago, MSSPs accepted to focus on network security and endpoint security (anti-malware solutions). Today, these cybersecurity disciplines are no longer more important than web application security.
Here are the top four reasons why every MSSP should include web application security in their service portfolio and why a professional web application security solution is the best choice as the foundation for those services.
1. Web applications are a common attack target
In a study by Forrester Research, The State of Application Security 2021, web application attacks were identified as the most common attack method. This proves that while the global media is mostly talking about phishing and ransomware, many companies don’t realize how important web application security is.
Another reason why the web is often treated with neglect is the sudden change in its importance. Just a few years ago, businesses primarily used the web for marketing, sharing information, or communicating with customers. Today, the same companies use the web for their main revenue-generating activities and store the most sensitive information in web-based applications.
Attackers are of course aware of this and find revenue-generating web applications a treat: companies often leave them unprotected and vulnerabilities are very common as developers often avoid security. At the same time, most companies have little idea about web development and leave it to third parties who are often not responsible for security-related consequences. Often, applications containing sensitive business data run on open source engines without anyone being responsible for their security. This chaos is a perfect environment for black-hat hackers.
2. You Can’t Manually Cover Web Application Security
Some MSSPs may think that the best way to cover web application security is to perform manual penetration testing. While it’s true that manual penetration testing leads to more in-depth security coverage, it’s time consuming. With the number of customers served by an MSSP and the number of websites and web applications to cover, hundreds of penetration testers would need to be working around the clock to cover all the bases for each customer.
This is also the reason why manual penetration testing tools are not the way to go for MSSPs. Professional penetration tools like web proxies are top notch in the right hands, but it’s the lack of hands that’s the problem. What MSSPs need are solutions that automate the majority of alerts and cases, reducing the time and human resources needed to focus on critical, high-risk issues, enabling prioritization of the most impactful risks. and the most dangerous.
3. Packaged security solutions do not cover web application security
Another mistaken assumption made by some MSSPs is that packaged network security solutions will cover web security well enough. This is not the case. While there are network security solutions that include limited capability add-ons to cover the most common web application security vulnerabilities, these are too basic to ensure your client is well covered.
Focusing your efforts on network security and treating web application security as an add-on would be a perfect approach just five years ago. Now the tables have turned. Since most small businesses, especially new ones, have their sensitive data in the cloud and have virtually no on-premises solutions, network security has taken a much lower priority. Network security remains high for slow growing organizations such as government entities or some large enterprises, but not for SMBs.
4. Open Source Solutions Are Not Enough for Web Application Security
Open source is a common choice for businesses, especially for web applications. Web applications are often based on open source platforms, such as WordPress, which, according to W3Techs, powers over 42% of all websites.
This leads many to believe that the situation is similar in the world of web application security. After all, for example, there are excellent open source network security solutions out there, which could easily compete with the biggest commercial players. Unfortunately, this is not the case with web security. There are very few open source platforms for web application security analysis and these platforms have limited capabilities. The biggest problem with them is the fact that they were designed to be used as penetration testing tools, not automated solutions.
As a result, MSSPs that attempt to base their web application security services on open source solutions encounter major automation and usability issues and only provide their customers with a limited scope of application security. website.
What is the best choice for MSSPs?
The only sensible way for MSSPs to offer web application security services is to use a modern web application security product designed specifically for MSSPs. Here are some of the reasons why such a solution is worth considering:
1. Safe approach to digitizing production websites
Unlike tech companies, MSSPs very rarely perform web application security testing for their clients in SDLC stages or at test sites. This is because MSSP customers not only outsource their security, but also their web presence. Therefore, MSSPs should perform their analytics on production websites. The problem is that most web application security products are designed primarily to be used only during development.
Scanning production websites is not an easy task, as a scan can easily cause an inadvertent denial of service attack. The scanners just have to communicate so intensely with the web application that regular customers can’t get through and are denied access to the scanned target.
MSSP-focused web application security scanners are designed to address this issue and continue to find new approaches to ensure the security of production site scanning. You should look for features such as scan throttling, off-peak scheduling, and scanning using multiple different engines (agents) at once. With these features, scans can be performed more slowly (with more time between requests), at a time when there are few users at the production site, or from a location that does not cause bottlenecks.
The second feature to look for are tools that limit the number of requests sent and the size of the data packets sent. This minimizes the impact of the analysis on the website.
2. Smooth learning curve
MSSP security personnel have too much on their hands to afford to play endlessly with the complex configuration of security tools. They need something they can use right now. They need a simple and efficient user interface with additional tools that make their life easier. Unfortunately, this isn’t often the case with enterprise-focused web application security product bundles.
What you need is a simple tool with a minimal user interface and the best preconfigured options. If the analysis target requires authentication or includes multi-level forms with business logic, the tool should provide very easy to use visual tools that allow you to log in and cover all form options. MSSP staff shouldn’t have to write scripts or spend hours learning to understand complex configuration settings. They just need to add the customers’ web targets and run the scans.
3. Get a tool you can trust
There are a lot of newcomers to the web application security world and they have very aggressive marketing, promising you heaven and the stars, when in reality they are just getting started and won’t support you effectively if you encounter problems. That’s why you should look for established vendors with at least 10 years of experience in the market. However, note that many established web application security vendors offer enterprise-grade solutions, making them not only too expensive for MSSPs, but also ill-suited to the needs of SMB customers.
4. The right license for you
Finally, look for a license that fits the unique model of MSSPs. Companies that purchase web application security solutions for themselves rarely need to add and modify as many targets as MSSPs. Therefore, many vendors only offer fixed licenses, for example for 50 targets. This won’t work for an MSSP because you can’t know in advance how many targets your next client will have. You need full flexibility to assign, manage, re-assign, and delete goals, as well as automated consumption billing for exact usage, giving you true OPEX costs, rather than a cost of flat-rate license in a CAPEX model.
Bog guest courtesy of Invicti, an international web application security company headquartered in Austin, Texas. See more Invicti guest blogs here. Regularly contributed guest blogs are part of the MSSP Alert referral program.