Daily news of website breaches brings testing inadequacies to the fore. Web app owners can now bring together automated vulnerability scanning and penetration testers for zero false positives.
At the recent FT Cyber Security Summit, it was reported that the number of cyber-attacks against financial services groups has soared in the past couple of years, with 75 attacks being reported to the Financial Conduct Authority (FCA) this year, compared with just five the whole of 2014.
That’s a huge 1400% rise, which underscores the scale of the threat that the financial sector and its regulators are grappling with. In addition, the high-profile attacks on the central bank of Bangladesh and related payment-system hacks demonstrate that this is a truly global issue, no respecter of international jurisdictions or boundaries.
Increased scrutiny on financial services
The FCA has stepped up its scrutiny of financial services’ defences against hacks, and large lenders were put on notice in 2015 that if their defences are weak, they could be forced to set aside more capital to cover the additional risk. Lloyds Banking Group was the first big UK bank to complete the Bank of England’s cyber-stress test, dubbed the Hackining Onslaught, headed up by the Financial Policy Committee.
The FCA is now turning its attention to a wider group of companies, no matter their size. All companies are obliged to inform the regulator about any known hacks and are expected to be able to identify them in a timely manner. The reality is that even the smallest firm holds large quantities of sensitive data which, if compromised, could then have a ripple effect to other areas of the financial sector and, indeed, businesses more broadly.
So what can enterprises do to tighten up their IT security before the regulators come knocking? There are two broad options – automated vulnerability scanners or penetration testers.
Unfortunately, many automated security scanners too often throw up false positives. A good example of this was a demo at the Nullcon security conference in Goa, India, earlier this year, where an automated scanner was pointed at a wide range of enterprises – and even the scanner’s “best” result produced around 50% false positives.
The second option is to use penetration testers. However, these experts are beyond the means of most small to mid-sized website owners, with some firms quoting US$1200 for a single web application test. Higher costs for organisations with larger apps are inevitable, and they would ideally need to employ penetration testers on a continuous basis.
Market buoyed by sophisticated hacking techniques and IoT
Although difficult to scale, costly and often hard to set up, penetration testing is on the rise. The size is expected to grow from US$594.7 million in 2016 to US$1,724.3 million by 2021, at a compound annual growth rate (CAGR) of 23.7% during the forecast period. The major growth drivers within the market include the increased sophistication level in attacking techniques as web and cloud-based business applications are increasingly deployed, and the need to meet compliance requirements.
The growing security needs of internet of things (IoT) is also buoying the industry. Wireless penetration testing is expected to witness the highest CAGR in the global penetration testing market during the period 2016 – 2021.
New hybrid approach for web security
As the City makes a concerted effort to beat hackers, financial institutions increasingly have the budget to deploy penetration testing services. However, purely manual services generally prove too costly in man-hours, and although demand for cloud-based services is rising (for example, ethical hacking as a service) here is always a concern with ethical hacking databases around the background of the hackers.
This is where the concept of real-time hybrid web application security testing can help. Managed as an online service, it combines vulnerability assessment with ethical hacking. By including a manual element into the security assessment process, this hybrid approach seeks to eliminate false-positives, increase testing accuracy, and detecting complicated web vulnerabilities that are missed by automated vulnerability scanning vendors.
An example of the approach for small to medium sized web apps is web security company High-Tech Bridge’s ImmuniWeb. Different levels of penetration testing on-demand packages (dependent on web app size) generate verified vulnerabilities with manually tested exploits and tailored fixes.
Auditors carefully examine every vulnerability and related risks in order to suggest the most appropriate and efficient patching technique, while remediation guidelines are written in straightforward and simple manner. For ongoing requirements, either to supplement testing consultancies efforts, or to boost in-house teams, on-demand penetration testing is available in a continuous format, with 24/7 managed web vulnerability scanning.
It’s almost certain that this hybrid model will continue to develop and grow, as it offers an enviable balance between the high cost and complexity of the traditional pen testing market, and the more cost effective but less regulated cloud model. The market for fighting cybercrime is certainly guaranteed well into the future, and based on the current rising tide, set to grow exponentially. Whatever the industry sector, the time to take pro-active measures and secure business-critical applications and sites is now.
Written by Cecilia Rehn.