Managed security service providers (MSSP) are a fantastic alternative for small- to medium-sized organizations whose primary objectives are to hire employees that are business-focused, not recruit teams of IT and security professionals who, while valuable to the security of the organization are not contributors to their core business. Outsourcing security services saves growing businesses the trouble of creating internal teams from scratch, which is not only difficult due to a major cybersecurity skill gap but also ends up with specialized personnel having very little to do on a regular basis.
However, cybersecurity evolves so quickly that many MSSPs have a hard time staying up to date. As a result, for example, a large number of MSSPs do not include web application security as part of their services. This is primarily due to the rapid development of web technologies and the quick migration to the cloud. Just a few years ago, MSSPs were fine with focusing on network security and endpoint security (anti-malware solutions). Today, these cybersecurity disciplines are no longer more important than web application security.
Here are the four primary reasons why every MSSP needs to include web application security in their service portfolio and why a professional web application security solution is the best choice as the basis of such services.
1. Web Applications Are a Common Attack Target
In a study from Forrester Research, The State of Application Security 2021, web application attacks were pinpointed as the most common method of attack. This proves that while the global media talks mostly about phishing and ransomware, many businesses do not realize how important web application security is.
Another reason why the web is often treated neglectfully is the sudden shift in its importance. Just a few years ago, businesses primarily used the web for marketing purposes, sharing information, or communicating with customers. Now, the same businesses use the web for their primary revenue-generating activities and store the most sensitive information in web applications.
Attackers are, of course, aware of this, and find revenue-driving web applications a tasty treat: businesses often leave them unprotected and vulnerabilities are very common due to developers often shunning security. At the same time, most businesses have little idea about web development and leave it to third parties that are often not responsible for security-related consequences. Often, applications that contain sensitive business data run on open-source engines with nobody at all responsible for their security. This chaos is a perfect environment for black-hat hackers.
2. You Can’t Cover Web Application Security Manually
Some MSSPs may think that the best way to cover web application security is by performing manual penetration tests. While it is true that manual penetration testing results in deeper security coverage, it consumes an insane amount of time. With the number of customers serviced by an MSSP and the number of websites and web applications to cover, hundreds of penetration testers would have to be working around the clock to cover all the bases for every customer.
This is also the reason why manual penetration testing tools are not the way to go for MSSPs. Professional penetrating tools like web proxies are top-notch in the right hands but it is the lack of hands that is the problem. What MSSPs need are solutions that automate the majority of alerts and cases thereby reducing the time and human resources needed to focus on critical high-risk issues, hence allowing prioritization of the most impactful and dangerous risks.
3. Packaged Security Solutions Don’t Cover Web Application Security
Another assumption wrongly made by some MSSPs is that packaged network security solutions will cover web security well enough. That is not the case. While there are network security solutions that include limited-capability add-ons to cover the most common web application security vulnerabilities, these are too basic to make sure that your customer is well-covered.
Focusing your efforts on network security and treating web application security as an add-on would be a perfect approach just some five years ago. Now the tables have turned. Since most small businesses, especially new ones, have their sensitive data out in the cloud and have next to no on-premises solutions, network security dropped to a much lower priority. Network security still remains high for slow-development organizations such as government entities or some major corporations but not for SMBs.
4. Open-Source solutions Are Not Enough for Web Application security
Open source is a common choice for businesses, especially in the case of web applications. Web applications are often based on open-source platforms, such as WordPress, which, according to W3Techs, is the basis for more than 42% of all websites.
This leads many to believe that the situation is similar in the world of web application security. After all, for example, there are excellent open-source network security solutions, which could easily rival the biggest commercial players. Unfortunately, this is not the case with web security. There are very few open-source platforms for web application security scanning and these platforms have limited capabilities. The biggest problem with them is the fact that they were made to be used as penetration testing tools, not automated solutions.
As a result, MSSPs that try to base their web application security services on open-source solutions encounter major problems with automation and ease of use and provide their customers with only a limited scope of web application security.
What is the Best Choice for MSSPs?
The only sensible way for MSSPs to offer web application security services is by using a modern web application security product specially tailored for MSSPs. Here are some of the reasons why such a solution is worth consideration:
1. Secure approach to scanning production websites
Unlike high-tech companies, MSSPs very rarely run web application security tests for their customers in the SDLC stages or on test sites. This is because MSSP customers outsource not just their security but their web presence as well. As a result, MSSPs need to perform their scans on production websites. The problem is that most web application security products are made primarily for use during development only.
Scanning production websites is not an easy task because a scan can easily cause an unintentional denial-of-service attack. Scanners simply need to communicate so intensively with the web application that regular customers can’t make it through and are denied access to the scanned target.
MSSP-focused web application security scanners are made to address that problem and keep finding new approaches to make sure that production site scanning is safe. You should look for functions such as scan throttling, scheduling for off-hours, and scanning using several different engines (agents) at once. Using these functions, scans can be performed slower (with more time between requests), at a time when there are few users on the production site, or from a location that does not cause bottlenecks.
The second trait to look for is tools that limit the number of requests sent and the size of data packets sent. This helps minimize the impact of the scan on the website.
2. Gentle learning curve
MSSP security personnel have too much to do to be able to afford to twiddle endlessly with the complex configuration of security tools. They need something that they can use right there, right now. They require a simple, effective user interface with additional tools that make their life easier. Unfortunately, that is not often the case with enterprise-focused web application security product bundles.
What you need is a simple-looking tool with a minimal user interface and preconfigured best options. If the scan target requires authentication or includes multi-level forms with business logic, the tool should provide very easy-to-use visual tools that let you log in and cover all the form options. MSSP personnel should not be required to write scripts or spend hours learning to understand complex configuration settings. They just need to add the customer web targets and run the scans.
3. Get a tool that you can trust
There are a lot of newcomers to the world of web application security and they have very aggressive marketing, promising you the heaven and the stars, while in reality they are just starting up and won’t support you effectively if you run into any trouble. That’s why you should look for established providers with at least 10 years of experience on the market. However, note that many such established web application security providers have solutions tailored for enterprises, which makes them not only too expensive for MSSPs but also not well adjusted to the needs of SMB customers.
4. The right license for you
Last but not least, look for a license that is suited to the unique model of MSSPs. Businesses that purchase web application security solutions for themselves rarely need to add and modify as many targets as MSSPs and therefore many providers offer just fixed licenses, e.g. for 50 targets. This won’t do for an MSSP because you can’t know in advance how many targets your next customer is going to have. You need full flexibility to assign, manage, reassign and delete targets together with automated consumption billing for the exact usage giving you true OPEX costs, rather than a lump-sum license cost in a CAPEX model.
Guest bog courtesy of Invicti, an international web app security company headquartered in Austin, Texas. See more Invicti guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.