If asked, “How often do you test your external attack surface,” a common response is the frequency of vulnerability scans. There are significant technical differences between scanning and testing, but the words are often used interchangeably. At what cost?
Active testing involves repeated interactions with a digital asset to reach success criteria defined by a test methodology. Active testing can be human-led, using multiple tools, with each test an evolution from the prior step. Active testing can also be automated, where the testing engine sends a payload to the asset at a pre-determined schedule and scope. The payload defines the success and all the steps needed to complete the test.
Active testing, including application security (for example, dynamic application security testing, or DAST), provides more risk insight, at a higher confidence, than software-version-based vulnerability scanning (also called “passive scanning”). Let’s look at some examples.
Passive scanning lacks depth and leaves many uncertainties. For instance:
Active testing provides validated results that uncover complex risks:
Night and day difference. Active testing verifies vulnerabilities are present, not just assumes them from the software version.
Active testing is the minimum level of risk detection and confidence your organization requires. But it can be difficult to accomplish at scale, even with most automated tools. Why? Let’s talk about that.
The external attack surface is complex and constantly changing. However, many organizations take legacy internal scanning approaches and apply them “from the outside.” Periodic vulnerability scans across known IP segments and annual pen testing of critical web applications may be useful within internal networks but aren’t nearly the frequency, coverage, or depth for externally exposed assets.
Some organizations see the deficiencies in this approach and purchase a legacy external attack surface management (EASM) solution, perhaps one tied to a bundled offering from a large security vendor. Unfortunately, nearly all of these EASMs use basic scanning techniques to both “find” assets and identify software-version-based vulnerabilities. The initial excitement of finding a new asset with a vulnerability quickly subsides as it becomes apparent that the lack of validated risk insight, high false positives, and volume of missed assets are not saving time nor helping reduce risk.
The 2023 Verizon Data Breach Investigations Report (DBIR) states your external attack surface represents the most targeted attack vector. To have any hope to maintain pace with risk, your organization needs more than a list of some assets with unpatched software. You need active test results across your full external asset inventory.
But it’s difficult. The external attack surface is a complex ecosystem that changes frequently. Before you can test, you first need to set the foundation with a list of assets and relevant context. This forms the first set of challenges:
Once the asset inventory is built, the next set of challenges begins:
Legacy testing tools often require extensive effort to crawl websites, build test policies, schedule, and monitor. Active testing, performed automatically, continuously, and without resource impact, is the clear path forward.
CyCognito solves the challenges of active testing across your external attack surface. First, we integrate our security testing engine with our asset inventory engine. This removes coverage gaps, eliminates delay, and allows our testing engine to tailor tests per asset. We then carefully perform the testing using a proprietary network of over 60,000 nodes spread across 100 countries. Resource impact levels are monitored carefully, including both load (“bandwidth”) and depth (the number of interactions), even for basic user actions such as fetching a homepage.
Figure 1 is a snapshot of the CyCognito Web Application Risk dashboard. The upper left is the total number of applications, which, when clicked, redirects to the web applications that make up the dataset. The middle graphic presents OWASP Top 10 results, which in this example, illustrate a high risk of injection attacks.
Figure 1: CyCognito Web Application Risk Dashboard
Figure 2 illustrates test insight available within the asset itself. CyCognito provides immediate visibility into security and risk posture, including an overview, security grade, number of issues, and unique CyCognito context “Discoverability” and “Attractiveness”.
Figure 2: Asset Details for a High Risk Web Application
Evidence is crucial for any IT Security Team. CyCognito captures screenshots of all web applications, regardless of risk posture, along with relevant metadata. An example is provided in Figure 3.
Figure 3: Example of Web Application Screenshot with Metadata
PII exposure is a concern for any organization. CyCognito active testing uncovers PII-based issues and includes a dashboard for PII risk, illustrated in Figure 3. On this dashboard, assets with PII are listed by organization (upper left), by discoverability (upper right) and even by field type (center right) are included. All data can be inspected further, directly through the dashboard.
Figure 3: PII Exposure Dashboard
The CyCognito platform provides comprehensive active testing, including DAST, without legacy complexities. Delivered as a SaaS, with no hardware or virtual instances to manage, policies to create, or assets to import, the CyCognito platform has low operational complexity and a high frequency of tests required for enterprise scale.
Looking for more information on how CyCognito uniquely solves external risk management challenges? Please read our Security Testing Technical Datasheet. If you are not a CyCognito customer and want to find out more about CyCognito and how we can help reduce your external risk using active testing, please contact us.
Jason Pappalexis has worked in cybersecurity for nearly two decades, holding roles across government security administration, third-party testing, solutions architecture, product management, and technical product marketing.
Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024.
Download the report to learn about the historical trends behind the emergence of exposure management, how to develop a strategic plan and assemble a team to smoothly transition frameworks, and example tech stacks to consider for your organization.
Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally exposed assets on a portion of your parent company or a single subsidiary.
Discover insights on application security, exposure management and other key topics below.
The definitive guide to attack surface management. Learn everything you need to know to reduce your cyber security risk with attack surface management.
Exposure management is a set of processes which allow organizations to assess the visibility, accessibility, and risk factors of their digital assets.
Vulnerability assessment is the process of identifying, quantifying, and prioritizing vulnerabilities in a system.
Explore CyCognito modules ASM, AST and EI in the resources below.
Scalable, continuous, and comprehensive testing for all external assets, all the time.
CyCognito Automated Security Testing dynamically applies payload-based testing techniques across your entire external attack surface.
CyCognito Exploit Intelligence uses threat intelligence about attackers’ behavior and exploitability for enhanced prioritization.