Automated vulnerability scanning is sufficient
No, unlike SSL testing for example, fully-automated vulnerability scanning is not enough for modern web applications. Recent research from NCC group compared various vulnerability scanners, and even the best of them had about 50 percent of false-positives. Researchers from MIT's Computer Science and Artificial Intelligence Laboratory confirmed that neither humans nor Artificial Intelligence has proven successful at maintaining cybersecurity on their own, and proposed a combination of human and machine to achieve the highest results. This is why the leading cybersecurity companies that used to rely on automation, now partner with companies that develop hybrid vulnerability detection technologies. Yes, you should automate as much as you can, but you cannot automate everything.
Penetration testing is the ultimate way to test web security
No, because penetration testing is not scalable and cannot be used in a 24/7 continuous mode. Even if you can afford monthly penetration testing, nobody can guarantee that within the 30-day period no zero-days will go public, or your web developers will not make a dangerous error in the code.
Penetration testing can perfectly complement your continuous monitoring, but it can never replace it. This is why MIT folks say that the future belongs to hybrid systems that combine 24/7 continuous monitoring leveraging machine-learning, but supervised and managed by humans.
WAF can reliably protect web infrastructure
No, even being a must-have technology to prevent simple and automated attacks,WAF cannot prevent exploitation of all the vulnerabilities. Application logic, access control, chained vulnerabilities, authentication and data encryption issues are not the vulnerabilities your WAF can reliably detect and prevent.
High-Tech Bridge performed a detailed research on ModSecurity WAF to demonstrate that some complicated flaws, such as Improper Access Control and CSRF, can be patched via WAF, however it will take so much time and manual efforts that it doesn't make sense to use WAF for this purpose. Otherwise, in the epoch of agile and JIT software development, you always have to select - either your WAF will block some of the legitimate customers and you will lose your money, or it will overlook some of the attacks allowing hackers to get in. And yes, currently fashionable RASP solutions have similar and even worse problems than WAFs.
Yan Borboën, partner at PwC Switzerland, MSc, CISA, CRISC, comments: "Cyber defense is not only a technological problem which needs to be solved by CISO. All companies' stakeholders (Board of Directors, C-Levels) must be involved in the cyber defense in order to obtain the right mix between technologies, processes, and people measures. Moreover, in our PwC's Global Economic Crime survey 2016, we noted that 63% of respondents have not a fully operational incident response plan, even we all know that in today's business landscape, information security incidents are a question of "when", not "if". This would be also a myth that I would recommend companies to tackle. Incidents will happen at your company, so be prepared."
Sign up for CIO Asia eNewsletters.