Security is not only a competitive edge, it’s a must. Companies will soon be compelled to implement a holistic security approach to keep up with the user demand of more secure services. But staying on top of web security in an ever-changing environment can be a great challenge for anyone. We believe that the most successful way to stay safe as a company is to integrate security into the development process. If you seamlessly add security as a continuous element during planning, development, testing and production, you are ahead of many other companies.
However, integrating security manually into all these phases would be very time-consuming and problematic, which is why you need to add systems and services that monitor the development cycle for you, so that you do not need to spend all your time worrying about security. Detectify is an example of a security service that works uninterruptedly in the background, analyzing your website and reporting back to you with actionable reports of the identified security issues. It fits seamlessly into the development cycle, so that your dev teams do not need to spend a lot of time setting up another complicated new tool.
It is worth repeating; security is not a one-man-show, so make sure to invite as many stakeholders as possible into the process. It will make it easier to raise awareness and change the company mindset to work more actively with security. Talk about security in a way that everyone in the organization understands. Highlight the benefits that come with a security-conscious organization.
In discussions with the CMO, you might want to mention how you will stay one step ahead of the competitors, increase customer loyalty and avoid the negative PR that a hacker attack can cause. When talking to the Head of Development, team leaders or developers, try pointing out how easy it is to integrate security services like Detectify into developers’ existing sprints and agile work routines. Clarify that the (already busy) team will not be swamped with yet another service. When speaking to the CIO, point out how all studies show that security and automation are two important and growing areas to invest in to keep your IT infrastructure safe. Everyone in the organization will benefit from adapting a security-focused way of working.
It is useful to review your current situation already in the planning phase. Go over your entire IT infrastructure and re-consider what kinds of facilities and services you need. Based on your conclusions, you will need to consider if you have the right internal processes in place and if you have sufficient tool support to identify, organize and prioritize your security work.
This guide is, however, focused on implementing web application security, so let’s move on to that.
We highly recommend using a dedicated service to continuously monitor your website security. Many of the solutions out there do not have web security as their core business, and therefore do not update their services with new vulnerabilities frequently, which is essential in order to stay as safe as possible When choosing a web security service, make sure it covers OWASP Top 10.
Detectify specializes in web security and if you choose to use us to monitor your website’s security, our customer success managers are more than happy to help you with training, account setup and making you successful with our service. Just send us a short note at hello[at]detectify.com if you want help to get started or sign up for a 14-day free trial. We have tons of best practices from working with all types of industries and organizations and can easily help you navigate through the security jungle.
The first step when setting up your Detectify account is to define your target and its scope. Detectify allows you to configure test profiles to help you make sure that you cover all aspects of your application. As an example, you can have one profile where you log in to the tool and one profile that examines the site as an external, non-logged in, visitor. The tests can also be set up differently to match predefined goals.
There’s a few more things to think about when setting up an account in order to get the most out of Detectify. For instance, to scan your entire domain, you will need to add your target(s) without including “www”. If your domain is “www.example.com” and you want to scan the entire domain and not only the top domain, you should add “example.com”, and by doing so, we will also cover your site’s subdomains. This results in a larger scope and therefore more secure coverage.
For more information on setting up your account, watch our demo.
Detectify believes in making security an integrated part of the development process to avoid releasing unsecure services to the public. We have therefore made it possible to scan staging sites on local environments by using ngrok. By doing so, your development team can work on resolving possible vulnerabilities during the development process instead of doing it after release. Not only will this result in a less stressful release, it will also make security something that is on top of mind when writing the code. As we all know, the IT infrastructure will differ between the staging and production environment. Therefore we recommend that you perform a test as soon as the release is live.
After going live, you will still need to test your production site continuously for possible threats. New vulnerabilities turn up every day, and Detectify adds new vulnerabilities to the scanner on a continuous basis. This is why the default setting when adding a new target to the service is to monitor and scan your site every 7 days.
Security is a continuous effort rather than a one-off project. Your application will most likely not remain static and unfortunately, black hat hackers constantly invent new attack strategies that can make your site vulnerable. Therefore, we recommend you run routine tests with Detectify. Our recommendation is to do them on a weekly basis. You can always complement the scheduled tests with one time scans whenever you need to test certain aspects of your application.
Make sure that the findings are added to the next sprint planning. This way, you make sure to always stay on top of your security as we constantly update the tool to cover new attack vectors.
The security reports are downloadable and easily shared. By inviting your coworkers to Detectify and granting them view access, you can enable your whole team to review findings. Being transparent, talking regularly about security and learning from each other is essential to become better and more secure. Do not let the results be a waste, make sure knowledge and best practices are passed on to everyone concerned. Our security expert and ethical hacker Frans Rosén often mentions Google as a great example of security teamwork, as it is practically impossible to find the same vulnerability on Google twice. Try to have the same mindset as them!
In addition to downloading the results in PDF-format, Detectify can also be integrated with the most common developer tools such as Slack, HipChat, PagerDuty and Trello. By integrating Detectify directly into your infrastructure you will get notified when vulnerabilities are found and keep people informed about the latest security issues on a regular basis.
Stay tuned on our blog, our twitter (@detectify) and sign up for our newsletter through the opt-in field in the sidebar to get more security news. And if you have any ideas, feedback or any comment, do not hesitate to reach out to us to start a dialogue.