Wednesday, 7 October 2020

Should you arm your SaaS software engineers with a web app vulnerability scanner?

Vulnerability scanner for cloud software development teams

Web application vulnerability scanners have been around for a long time. And they've been ignored by most software engineers for a long time.

Isn't it strange that the very people who build amazing software completely ignore other novel software that helps them secure their creations?

Why do software engineers not like vulnerability scanning tools?

There are many reasons behind this, but a primary factor is likely to be software engineers' lack of acknowledgement that they are responsible for securing the code that they write. Not the testing team. Not the security team. But the software engineer herself is responsible for building secure features. 

If you think that's a novel thought, there's a compounding problem: most software engineers don't trust application security teams and products, like vulnerability scanners. 

Given that very few software engineers take application security papers during their university education or in their formative professional years (primarily because few universities require that they be taken?), it follows they're more focused on building cool new features and not so much on building cool AND secure new features. 

But those blind spots lead to these problems:


So as a tech decision maker, when you thrust an application security assessment or a web app penetration test on your engineers, they're naturally weary of what they're going to face.

Let's call a spade, a spade: they're afraid of being made to look bad. It's that perception of professional embarrassment that they are really dreading.

But this sequence of facts and emotions leaves you, as a decision maker, in no-man's land. How do you deal with your engineer's emotions as well as solving your application security headaches?

To solve this conundrum, we need to dig a little deeper.

Does human nature cause software developers to dislike application security tools?

The weariness stems not just from a lack of technical understanding about the application security process, but also because it's natural human nature as Harvard Business School's Michael H. Yeomans puts it in his recent study, "people are less willing to accept recommenders when they do not feel like they understand how they make recommendations.”

The mistrust of recommendations from other seemingly learned professionals is only exceeded by humans' mistrust of technology, as Cornell's Jon Kleinberg and University of Chicago's Anuj Shah and Sendhil Mullainathan found in the paper with Yeomans, "there’s a mistrust in algorithms. People seem to view them as a cheap substitute for human judgment."

You'll agree that the above comment is especially true of technically advanced people who often mistrust advanced technologies (not built by them), often just because they don't have the time or requisite knowledge to understand it in greater depth. 

Cornell University's Malte Jung has studied the human-robot interactions in everyday work environments, specifically about how . He says, "human-robot interaction is not just about how you interact with technology, but how the technology affects how people interact with other people.” 

“It’s about moving beyond this one-to-one paradigm between a single human and a single robot into a group and team context because, the fact is, people rarely work alone," says Jung. 

And therein lies one of the big problems with application security tools robots. They are mostly designed for security testers conducting web application penetration tests, who are working alone. This setup is likely very different to the dynamics of your software engineering team, who are constantly collaborating with each other using developer tools like Jira or Github or Slack/Teams, etc. 

Want to see how an automated pen testing tool built for software dev teams could help your software developers find & fix security vulnerabilities by themselves?

Are vulnerability scanners "developer-friendly"?

In the case of vulnerability scanning tools, software engineers' mistrust is not solely a case of age-old human behavioural patterns. 

As I showed you before, most application security tools were built for cybersecurity experts - the ethical hackers of the world. They were not built for software engineers.

Most vulnerability scanners are not easy to set up, not easy to use and definitely do not help you patch a vulnerability unless you're willing to spend endless days scouring Google. They require tinkering with various add-ons and plugins just to run a scan. 

When you're giving your software engineers tight deadlines and overloaded sprints, I think they can be (somewhat) forgiven for focusing on finishing their day jobs, rather than engaging in hand-to-hand combat with a vulnerability scanner just to run a vulnerability scan!

My criticisms above are true for most of the bigger names in the vulnerability scanning field. That's why we built our own vulnerability scanner for software developers and automated penetration testing tool.

Software teams really appreciate that Cyber Chief is frictionless and user-friendly, allowing them to concentrate on building great applications.

What makes the Cyber Chief automated penetration testing tool "frictionless"?

A client who recently switched to Cyber Chief from a different vulnerability scanner put it this way: using the other tool was like driving on a highway full of potholes. Even when they get filled, the potholes come back after the next heavy rain.

Cyber Chief, on the other hand, is like driving on a newly laid highway. It's smooth, the car makes less noise and I can get where I'm going at good speed.

But, how does Cyber Chief achieve this, you ask? With a few key features, among others:

  • Easy integrations with your DevOps deployment pipelines so that your team never has to login to Cyber Chief to run a vulnerability scan.
  • Run deep, authenticated scans behind your app login without having to configure hundreds of different plugins
  • Best practice vulnerability resolutions so your developers don't have to waste days looking for a fix on Google
  • A knowledge repository of how vulnerabilities were patched in your environemnt so that your developers don't have to reinvent the wheel when tha vulnerability reoccurs

Would you like my team to take care of your security headaches so that you can concentrate on building your software & your business?

Does your software engineering team need a web application vulnerability scanner?

The answer is yes, if you answer yes to any of these questions:

  • Is your software constantly enhanced or worked to improve it or add new features?
  • Do you have cloud software penetration tests performed on your software? 
  • Does your cloud software store or access data that your users will want you to protect?
  • Do you have a ISO27001 or SOC 2 or equivalent accreditations?
  • Is your development outsourced to an external team or company?
  • Is your cloud software used by enterprise customers or are planning to get more enterprise customers?

Answering yes to any of the above questions means that your software is being modified often enough; and/or that your users expect you to keep their data safe; and/or you need to prove to enterprise customers or auditors that you have a consistent and strong application security program in place. 

Add to this the fact that most software breaches are a result of available patches or code fixes not being inititiated by the software engineering team, despite being readily available. I could present you a slew of numbers on this, but take this as just one very common example:

User-friendly web app vulnerability scanner for software developers


SQL injection is a vulnerability that has been well known, understood and patchable for well over 2 decades. Yet, such vulnerabilities are routinely introduced and reintroduced into software and not picked up until an external consultant performs their penetration testing services.

Who get's blamed for security breaches at software companies?

Usually it's the development team. Then the blame filters up to management. Who will most likely turn aroudn and fire any external service providers.

But you can't blame sofware developers for not fixing a vulnerability if they don't have access to a vulnerabilty scanning tool that's made for SaaS engineering teams in the first place, can you?

That would be like expecting a dishwasher to clean your dishes without any dishwashing tablets, no?

When you combine the above variables with something as worrying as the following statistic, it becomes clear why you need to provide your software development team with a vulnerability scanner that can help them find and fix vulnerabilities on their own:

User-friendly web app vulnerability scanner for software developers

Now, the only remaining question to ask is:

Is there a vulnerability scanner that is built for software developers?

TL;DR Yes, there is. Get Your Free Trial of Cyber Chief to see how it might work for you and your developers. 

Cyber Chief is not just another tool to add to your tool to add to your stack. It's purpose-built to help your developers find and fix vulnerabilities before new versions of your application go into prod.

It's a key component of ensuring that you have best-practice software security processes in place.

But in case you don't trust my recommendation, let me first briefly explain to you what makes a web app vulnerability scanner suitable for use by your software engineering team.

7 crucial features of vulnerability scanners for DevOps environments

There are seven key features of a vulnerability scanner that you must consider when choosing one for your software development team:

  1. Do you need a dynamic scanner that actually attacks your web application or just a static scanner that identifies vulnerable code? Ideally, you should have both because they help you in different ways. 
  2. Does the vulnerability scanner provide fixes for each vulnerability in the languages that your application is built with? If not, your engineers will become frustrated and confused as they waste their time trawling through Google for the right fix.
  3. Dashboards - they're not there to only look pretty, but to also give a complete picture of your application's security posture.
  4. Vulnerability management - it's no good just finding vulnerabilities. They have to be ordered, presented and managed automatically for you in a way that helps your team assign accountability, collaborate where necessary and prioritise which vulnerabilities need to be fixed first. 
  5. Is the vulnerability scanner user-friendly? Can your team initiate scans with just one click or do they need to maintain different scripts and add plugins just to run a scan?
  6. Is the vulnerability scanner cloud-based or do each of your engineers need to install different packages on their local systems? 
  7. Does the scanner work with your DevOps or CI/CD deployment pipelines and processes?

Choose a vulnerability scanner that will grow with your security goals

You'll notice for some of these key considerations, there is no right or wrong answer. For example, a cloud-based vulnerability scanning tool might not work for all corporate environments that are heavily suspicious of cloud platforms! 

On the other hand, it's absolutely crucial that the vulnerability scanner you choose has best-practices fixes that are relevant to your tech stack, along with an insight dashboard and full vulnerability management and collaboration features. 

It's not hard to find a vulnerability scanner that find all our vulnerabilities. It is hard to find one that will also be easy to use, require almost zero setup and won't slow down your software development team. 

It's even harder to find a vulnerability scanner with features that will scale with your team from a technical perspective, but also from not cost you an arm and a leg.

We know this because we conducted primary product research with respected security experts and software engineers around the world. Then we designed, built and enhanced our own web application vulnerability scanner, Cyber Chief. 

Click the button below to get your own free trial of Cyber Chief to see how it works in your environment, on your cloud software and for your software engineering team.


 
SaaS Brief