The latest release of Acunetix introduces web asset discovery – a mechanism that automatically lets you find websites and web applications that could potentially belong to your organization. This allows you to decide if these assets need to be covered by your web application security processes.
Why Do You Need Asset Discovery?
Very small and/or recently founded organizations usually know every single web asset that they create and own. However, the longer the organization exists and the larger it grows, the bigger the chance that some assets get left behind.
As part of our initial research, we found that most mid-sized organizations discovered web assets that needed to be secured. The most common causes of web assets “going missing” were:
- Lack of lifecycle management for web assets. For example, marketing assets that are no longer relevant are left online.
- Lack of global security processes. For example, in a larger organization, a department may be creating web assets using a tool such as WordPress with most of the organization not realizing that these assets exist.
- Internal tooling. For example, a team or department may be using a web application for their internal processes but this application may be unknown to all other departments and might be accessible from outside the organization.
- Personnel changes. For example, an ex-employee might have created a promotional site for a campaign and failed to hand it over when moving on from the company.
- Mergers and acquisitions. Organizations find it very difficult to merge metadata for all owned web assets for all organizational units.
- External contractors. You might have hired an external contractor to build a website or web application for you and they may have left a test version of that website or web application publicly accessible outside your organization.
Why Do All Assets Need Security?
Even an out-of-date, minor asset may pose a major threat to security. For example, a WordPress-based site created for a campaign that took place 2 years ago, which is still available publicly using a dedicated domain and not your business domain, may seem harmless but it’s not.
Let us assume that the abandoned WordPress site has a cross-site scripting (XSS) vulnerability. An attacker uses that vulnerability to create a major phishing campaign. The domain that you used in the campaign 2 years ago is, therefore, a tool for a major attack aimed at other businesses.
Another organization falls victim to the attack and orders a forensic investigation. The investigation reveals that a domain owned by your business was used in the phishing campaign. The organization that fell victim to the attack then sues you for damages as being an accessory to a crime.
The above scenario is exactly what happens if you leave unprotected assets laying around.
How Does Asset Discovery Work?
Publicly accessible web assets usually have some kind of information that can lead back to the potential owner. For example, if the web asset is available on a public domain, that domain may have registration information leading to the owner. If the web asset is available via a secure channel, the certificate may contain information leading to the owner.
Asset discovery in Acunetix continuously scans publicly available information and crawls the web to find any new assets that bear any relevance to your business. Then, at your convenience, you may look through the list of identified assets and decide whether any of them should be treated as targets for Acunetix.
Asset discovery is already available for all Acunetix on-premises versions and will very soon be available in Acunetix Online. To test it, request a demo of Acunetix Premium.