By finding vulnerabilities earlier in systems development life cycle (SDLC), companies can increase their overall web application security. Vulnerabilities identified in the development stage can be remediated by developers at a much lower cost than after the site goes live, Pennington said.
The WhiteHat chief strategy officer told Infosecurity that customers that have more than one or two websites have a lot of security vulnerabilities to deal with. “What we find is that the number of inputs in a given website that are vulnerable is about 1%”, he said.
“Web application vulnerabilities are the number one attack vector bad guys are using to attack companies today”, Pennington said.
To provide website application vulnerability data prior to production deployment, the company is introducing its Sentinel PL product, which finds vulnerabilities through the SDLC pre-production phases of website development.
The Sentinel PL product is designed to fit into a company's existing development cycle rather than requiring it to work around inflexible vulnerability assessment tools or processes, explained Ravi Iyer, product specialist at WhiteHat.
“We have been hearing from our customers that it would great to catch vulnerabilities before they go into production. Our customers love the fact that we provided verified vulnerabilities, which means no false positives. They wanted us to keep that….And they wanted this done within a three-day time period”, he told Infosecurity.
“Fixing problems in the production cycle costs a lot more than fixing it in the development environment. A key driver is costs”, Iyer added.
Sentinel PL offers tests that developers can customize for timing, unit-testing specific areas of the site, or targeting particular vulnerabilities such as cross-site scripting, he said.
By assessing preproduction sites prior to the production deployment of new code, Sentinel PL reduces overall remediation costs while reducing risk before the site is pushed to production and exposed to potential security threats, Iyer said. “The earlier you find a problem and fix it, whether it is a security bug or some other bug, the less your costs are”, he added.