Security Scanning Requirements: But Why!?
While various network security technologies are good at protecting the network layer, a web application can be considered a point of entry for a potential attacker. Web applications are programs ran through an Internet browser to allow people to fill out forms or to perform specific actions such as applying for hunting licenses. An insecure application can be used to compromise more than the information managed by that system alone. The insecure application can also be used to pivot the attack onto other systems and compromise information completely disconnected from that application’s scope. Hackers now target the web application layer by injecting attacks through the forms and fields that are open to citizens.
The South Dakota Bureau of Information and Telecommunication (BIT) requires the scans to not only protect the application in question but to protect the state infrastructure as a whole. (State infrastructure refers to the technology (hardware and software) that comprise the computer network, phone network, and connections to the Internet.) That is why BIT performs security scans for every web application or website deploying in a production environment (available for the public to use). These scans consist of attempts to gain control of the system or to gain access to the State’s data using a variety of tools and manual methods designed with one objective: attempt to exploit security vulnerabilities in an application in a safe test environment before it is deployed to the public.
As a general guideline, BIT normally (but does not always limit itself to) tests for the Open Web Application Security Project (OWASP) Top 10 vulnerabilities published at: https://www.owasp.org/index.php/Top_10_2013-Top_10. This is not an all-inclusive list— cyber security is a never-ending battle. The bad guys advance, security professionals counter, bad guys cross over—and so the cat and mouse game continues. There are always new threats and attack vectors and BIT adjusts in real time to confront these new threats.
The need to properly secure web applications is absolute. Knowing what vulnerabilities exist within a web application helps government divisions contain possible points of exposure and safe guard citizen's data.