Robots vs humans
One guardian of the crown jewel, the web developer, must reduce possible attack scope to an acceptable risk level. When fully focused on application design it is hard to imagine how creative attackers may be. For ethical hackers though that is their day job. They search through the dark web to understand the logic of attackers, to identify the tools that attackers use, which vulnerabilities attackers discuss and what skills attackers look for. They are just like undercover policemen patrolling streets, bars and nightclubs and collecting intelligence about underground activities. While automated scanners could point to a potential vulnerability, ethical hackers also search the dark side of the web to find traces of that vulnerabilities are being exploited. Two automated scanners that I have tested from BeyondTrust and Qualys detected an XSS vulnerable page on the target web site. However, the code provided in the assessment report was not easily reproducible.
It required skills and time of an engineer from our information security team to verify if that XSS vulnerability is exploitable and how difficult that would be. For an organization with hundreds of web sites and thousands of web pages, manual verification of each XSS vulnerability would require significant resources. For a small company without specific internal skills for such verification it would require contracting expensive consultancy. ImmuniWeb assessment detected more web pages vulnerable to XSS on the same target web site that were completely missed by automated scanners. More importantly, the proof-of-concept scripts provided in the assessment report are easily verifiable even for a non-technically savvy person. It is a matter of clicking on a link in the report that would open the vulnerable web page with a pop-up message to illustrate how the exploit may look like. ImmuniWeb assessment goes one step further. It also provides information on where and when vulnerable web pages were listed on hackers' forums. There is no need to highlight the criticality of the vulnerability and importance of fixing it when one is presented with such a report.
Vulnerabilities represent only one part of the risk. Threats are the other component within the risk equation. External threats to web applications are on the rise and represent the top priority of information security managers as reported by the OWASP CISO Survey. While there is a long list of tools on the market to assist in identifying vulnerabilities nothing can yet replace a human in identifying actual threats. With data breach reports that point to exploits that go undetected for years it is clear that better threat intelligence is needed. Security in-depth is important just like anti-burglar alarms but human generated reports like the Hacking Resource Monitor module of ImmuniWeb introduces another dimension to the perception of risk. It definitely makes me sleep better at night. I will also mention this to my sushi chef when I stop by his shop next time.