VULN-05

Do you regularly scan for common web application security vulnerabilities (e.g., SQL injection, XSS, XSRF, etc.)?

Explanation

This question is asking whether your organization regularly conducts security scans specifically targeting common web application vulnerabilities. These vulnerabilities include: 1. SQL Injection: Where attackers can insert malicious SQL code into database queries through web inputs 2. Cross-Site Scripting (XSS): Where attackers can inject malicious scripts into web pages viewed by other users 3. Cross-Site Request Forgery (XSRF/CSRF): Where attackers trick users into performing unwanted actions on a site they're authenticated to The question is being asked because web applications are common attack vectors, and these particular vulnerabilities appear consistently in security threat lists like the OWASP Top 10. Regular scanning helps identify these vulnerabilities before they can be exploited by malicious actors. In a security assessment, this demonstrates your proactive approach to security and shows you're following industry best practices for vulnerability management. Assessors want to know you're not just reacting to security incidents but actively looking for potential problems. To best answer this question, you should: 1. Clearly state whether you perform these scans 2. Specify the frequency (weekly, monthly, quarterly) 3. Mention the tools used (commercial or open-source) 4. Describe your remediation process for found vulnerabilities 5. Note if the scans are performed internally or by third-party security firms 6. Mention if you perform both automated scanning and manual penetration testing

Guidance

Ensure that all elements of VULN-05 are clearly stated in your response.

Example Responses

Example Response 1

Yes, we conduct comprehensive web application security scanning on a weekly basis using both Acunetix and OWASP ZAP automated scanning tools These scans specifically target SQL injection, XSS, CSRF, and other OWASP Top 10 vulnerabilities Additionally, we engage a third-party security firm to conduct quarterly manual penetration testing to identify vulnerabilities that automated tools might miss All identified vulnerabilities are tracked in our vulnerability management system, prioritized based on CVSS scores, and remediated according to our SLAs: Critical (24 hours), High (7 days), Medium (30 days), and Low (90 days) Scan reports are reviewed by our security team, and remediation progress is reported to executive management monthly.

Example Response 2

Yes, our DevSecOps pipeline includes automated security scanning for web application vulnerabilities at multiple stages During development, developers use pre-commit hooks with OWASP Dependency Check and SonarQube to identify vulnerabilities in code and dependencies In our CI/CD pipeline, we run OWASP ZAP scans against staging environments before deployment to production, specifically targeting SQL injection, XSS, CSRF, and other common web vulnerabilities Additionally, we use Burp Suite Enterprise for continuous scanning of production environments on a bi-weekly schedule Our security team reviews all findings, and vulnerabilities are tracked in Jira with remediation SLAs based on severity: Critical (48 hours), High (1 week), Medium (2 weeks), and Low (next sprint).

Example Response 3

We currently do not have a regular program for scanning web applications for security vulnerabilities like SQL injection, XSS, or CSRF While we understand the importance of such scanning, our organization has limited security resources and has prioritized other security controls first We do perform general vulnerability scanning of our infrastructure quarterly using Nessus, but these scans don't specifically target web application vulnerabilities We're planning to implement a web application security scanning program in the next fiscal year and have budgeted for tools and training In the meantime, we rely on secure coding practices and code reviews to minimize the risk of introducing these vulnerabilities, though we recognize this is not as comprehensive as regular scanning would be.

Context

Tab
Infrastructure
Category
Vulnerability Management

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron