Making the case for Web application vulnerability scanners

Organizations of all sizes use Web applications to deliver services and expand business processes. However, hackers are always searching for weaknesses within these online applications, as they can represent a gateway

    Requires Free Membership to View

into valuable back-end databases. With the advent of Web 2.0 features, including blogs, wikis, RSS and other advanced Internet technologies, Web applications are powerful, complex and constantly changing, increasing the likelihood of new vulnerabilities within an application.

To help developers track down and find potential security holes, there are a host of tools available called Web application vulnerability scanners. Their aim is to automate and speed up a process that, when performed manually, is a long and painstaking one. By crawling through a Web site and injecting various attack scenarios, scanners compare an application's responses against a database of security vulnerability signatures.

Despite their usefulness, Web application vulnerability scanners have not become a must-have for every development team, largely because of cost. Yet there are several good open source scanners available for free. In this tip, we'll examine a few other reasons for the holdup in Web application vulnerability scanner adoption.

1) So many choices
One problem many potential buyers have is that it's difficult to compare and choose among the different scanners. No one scanner seems to do it all, or match both budget and feature requirements for a particular application platform. Help is at hand in this area, however. The Web Application Security Scanner Evaluation Criteria are a planned set of guidelines to evaluate Web application security scanners on their ability to identify Web application vulnerabilities.

2) Web app scanners can only find so much
Scanners have not caught on in the enterprise, partly because they only find "well-known" network security flaws, ones that have been assigned a signature. Over-hyping what scanners can do has led to unrealistic user expectations. The tools cannot perform an entire vulnerability assessment on their own. Sure, they are great for finding common technical vulnerabilities, such as SQL injection flaws, cross site scripting vulnerabilities, parameter tampering, hidden field manipulation, backdoors, debug options and buffer overflows.

More information

Developers are in need of Web application security help. Senior News Writer Bill Brenner reports from CSI 2007. 

Learn about the new attacks that are targeting Web 2.0-based business applications.

Michael Cobb explains how to test an e-commerce Web site's security and privacy defenses.
But custom-written Web code Is another story. A Web site's custom application code is a dangerous point of insecurity, particularly if it uses Ajax, as each of its server-side functions represent additional attack points for hackers. With so many possible permutations of user and service interaction, these particular types of apps make it difficult to automate testing, since some vulnerabilities can pass through a scanner's checklist.

3) Scanners can't work alone
Until scanners can harness true artificial intelligence, they will always struggle to find certain categories of vulnerabilities. Scanners can only process syntactic information; they can't put the anomalies into context or make any normative judgments about them. Until the technology can improvise or draw intuitive conclusions, making analytical inferences to determine that data has leaked, for example, is never something that a computer is going to be able to detect. Only security experts can identify business logic flaws, because these types of vulnerabilities are contextual.

Finding a place for application vulnerability scanners
Application security scanners do have a role, though, in the secure application development life cycle. The tools can quickly find common programming errors, leaving more time for human code reviews and analysis. An ideal scanner has regular updates that help search for the latest known problems. Scanners should be usable throughout the application development lifecycle, not just on the finished product. To be effective, a scan should be able to utilize information it gathers to form the basis of the checks that follow. It should also allow a combination of manual and automated analysis. For example, by using a scanner that allows the viewing, changing and recording of HTTP/HTTPS requests and responses, developers can expose application behavior on-the-fly or during a later review. Finally, scan reports should be easily understood, and the scanner itself should be straightforward to use. There should also be clear guidelines on what the tool can and cannot check. These features are all available on different scanners, but no one scanner yet really has them all.

It's going to take time to learn and get the best out of a scanner, and developers tend to be over-stretched as it is. The cost of fixing vulnerabilities in a live production environment, however, suggests that the application testers are tools worth considering.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

This was first published in November 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.