My organization doesn't have the kind of budget needed to thoroughly check our Web applications for security flaws, but I've seen that one vendor is launching a free service that promises to scan for Web application vulnerabilities. Are free services going to be enough to help us assess our Web applications, or is more needed?
Ask the Expert!
SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
Building Web applications without a suitable security budget is an extremely risky undertaking. Sensitive company and customer data could be put at risk if a Web application is not built to withstand constant attack. A poorly designed and developed application could put an organization in breach of various standards, depending on the regulatory environment in which it operates. If a bigger budget for security really can't be found -- by paring the user interface design budget, for example -- then there are plenty of open source and free Web application security scanning tools that can be used to improve the overall security of an application.
The free Web application vulnerability scanner from Vega runs on Linux, OS X and Windows. The open source tool includes an automated scanner for quick tests and an intercepting proxy to inspect HTTP requests and responses. Like most scanners, it will help find SQL injection and cross-site scripting vulnerabilities, the two main flaws exploited by hackers. The Netsparker Community Edition scanner gives possible solutions for any issues it finds. Skipfish is a tool that can spot a range of flaws. It works slightly differently than most scanners by preparing an interactive annotated sitemap, which provides a great starting point for a deeper security assessment. Another useful scanner to try is Wapiti, which tests for a variety of injection-based vulnerabilities. However, it has to be run from a terminal, as it currently lacks a GUI.
The disadvantage of a Web application vulnerability scanner is that it can only be used after the application is built. Static code analysis tools, on the other hand, can discover coding flaws earlier in a project. RIPS is one such tool that is free and can find vulnerabilities in PHP applications.
For Web applications developed using Microsoft tools, Microsoft provides many free resources for developers to help them design and build secure applications. The Microsoft Security Development Lifecycle (SDL), a software development security assurance process, is a good starting point and has links to free tools such as Attack Surface Analyzer, Threat Modeling Tool and both file and regular expression fuzzing tools. Implementing SDL is quite onerous, so smaller development teams should look at the Simplified Implementation. Even this version has sixteen mandatory security activities though, which should be taken as a minimum standard before an application is put into service on the Internet. If applications are developed using an Agile-based approach, the Security Development Lifecycle for Agile Development document provides guidance on how SDL tasks can be mapped into an Agile development process.
Attackers quickly find online applications that have known vulnerabilities and attack them. Even if the only data that your application stores is user login credentials, this is still of value to hackers. The same credentials will often provide access to sites holding more valuable information. There are enough free resources on the Internet to enable even those development teams with a restricted budget to build a robust application, though the extra effort needs the support of senior management if it is to succeed.
This was first published in August 2013