Anyone responsible for application security across an entire organization inevitably wrestles with the same questions day in, day out: What assets are we exposing to the world? What risks does that exposure bring? What are the priority actions for addressing those risks? How do we remedy this stuff? And is there really no way to automate this cycle a bit more?
All this boils down to three main headaches: knowing your AppSec risks, being able to prioritize remediation, and getting proactive with your risk intelligence. Let’s see how using Invicti’s Predictive Risk Scoring feature can go a long way to easing those pains.
Under the hood of Predictive Risk Scoring on AppSec Serialized
The headaches of a CISO faced with an unknown and possibly unknowable attack surface in his new company are also the main focus of the short fiction story in episode two of Invicti’s AppSec Serialized podcast. The episode includes a discussion about the internals, development, and benefits of Predictive Risk Scoring with one of its creators, Bogdan Calin.
Listen to AppSec Serialized Episode 2: Machine Learning When the Perimeter Is Burning
What is Predictive Risk Scoring?
Predictive Risk Scoring is a proprietary technology used in Invicti DAST tools to passively examine discovered websites and applications for outward signs of security risks. Using a fast, custom-built machine learning model trained on known vulnerable sites, it looks at over 200 technology attributes of a site and estimates with a high degree of confidence how likely the site is to have serious vulnerabilities.
Headache #1: You don’t know what you’re exposing to the world
Ask any CISO exactly how many apps and API endpoints their organization is exposing to the public Internet and, in most cases, you will get a rough estimate rather than a definite and confident number. In addition to the sprawl and complexity inherent to building and deploying modern web applications, you’re also dealing with old versions that are still in production, test endpoints and sites that were never taken down, legacy projects that have “always” been there and are vital backend components even though nobody is sure how they work or who owns them… And if you don’t know what you have, it’s pretty hard to know your security posture and risk level.
Invicti’s Predictive Risk Scoring works in tandem with the web discovery feature. Automated discovery results show you detectable public-facing websites and applications associated with your organization (with additional manual fine-tuning if necessary). Predictive Risk Scoring then takes each discovered asset and passively examines it for tell-tale signs of a vulnerable site, assigning it an estimated risk score. Armed with those results, you can clearly see your web application attack surface and have a good idea of your potential weak spots—and that’s all before you even run your first vulnerability scan.
Separately from application discovery, Invicti solutions also include API discovery functionality—learn more about API discovery in Invicti Enterprise and our standalone API Security product, and join our weekly API Security demo to see it in action.
Headache #2: You don’t know which AppSec risks to prioritize
A common complaint about security tools is that they spit out a long list of results and leave you to deal with them, false positives and all. And even when you know which security flaws are real, deciding on remediation priorities can be a real problem, especially with limited resources. If you have a hundred security issues that superficially look similar and have similar severities, where do you start, and where do you go next?
Invicti DAST is known for cutting through false positives with proof-based scanning to show you which issues are real and exploitable. Predictive Risk Scoring applies that same philosophy even before you start scanning to flag sites that, based on their technologies and other indicators, are most likely to include vulnerabilities. This lets you clearly prioritize at each level: start testing from those high-risk sites and then start remediation from provable exploitable vulnerabilities in those sites. Following this tiered approach across each risk level, you can choose the sequence of operations that gives you the maximum risk reduction with your current resources.
Headache #3: You need to actively check up on your security posture
Most organizations don’t really know their security weak points until they commission an external test. In the worst case, some only learn about existing vulnerabilities when one gets exploited and they have a data breach. In a perfect world, each application would only enter production after thorough security testing, and every app and API endpoint would be recorded and tracked in a central inventory. But reality can be messy, making it essential to actively test and audit your own application environments on a regular basis if you want to be proactive and prefer preventing incidents to responding to them.
With Predictive Risk Scoring, you get your first estimate of security posture before running a single test, which is a pretty unique ability. Being closely tied into Invicti’s discovery feature, Predictive Risk Scoring runs and reruns automatically every time your discovery results are reloaded, giving you a hands-off layer of security vetting that runs in the background every single day. When coupled with SDLC integration and scheduled scanning in a continuous process on the Invicti platform, this lets you clamp down on security risks long before they can cause serious problems.
Bonus headache: You’re always being asked how you’re using AI to improve security
For the past few years, questions like “How are we using AI to increase efficiency in our organization?” have probably been asked in every department of every company, and security is no exception. The difference with security is that you can’t afford the equivalent of a six-fingered hand in your results because you could either miss a legitimate threat or waste your team’s time on vague or false reports.
The best way to answer this question is to step back and pick the right tool for the job. While LLMs and other generative AI tools are fashionable and accessible, reasoning based on large data sets is a job for machine learning (ML), which is a much more mature and reliable branch of artificial intelligence. Predictive Risk Scoring uses a custom-built decision tree model trained on real-life site data to deliver a very specialized and very fast solution to a specific problem. It does what any experienced pentester would do before starting testing—but can do it many times a second, 24 hours a day. Now that’s a smart use of AI in security.
Get in touch to see Predictive Risk Scoring in action on the Invicti unified platform