I believe that web security incidents and breaches begin and end with proactive security testing, as proper web-focused...
vulnerability and penetration testing are key elements for minimizing web-related risks.
As important as it is, we still don't take this aspect of security seriously enough. It's easy to get caught up in -- and blame -- culture, politics and, perhaps most of all, management when you feel like you don't have the proper support to find and resolve web vulnerabilities. These areas are formidable barriers to web security testing, but there's more to it.
If you're going to find the web security vulnerabilities that count, you must know what to expect and how to use the proper testing tools -- it's not just point and click. And most of the things that you learn will never come from the web vulnerability scanner vendors themselves.
Of the thousands of websites and applications that I have tested over the past two decades, here's what I've learned that can make or break your web security testing efforts and outcomes:
- There's a difference between a traditional network vulnerability scanner that can perform web-related checks and a dedicated web vulnerability scanner. The former can easily find web server configuration flaws and perhaps a few pages worth of cross-site scripting, but that's usually the extent of it.
On the other hand, dedicated web vulnerability scanners will find these items, but also many other -- and more confirmed -- flaws, such as SQL injection, parameter manipulation and HTTP redirection. These web-centric vulnerability scanners also have additional built-in tools, such as HTTP editors, proxies and the means for automating exploits that you won't find in traditional scanners.
Based on my experience, if you're not running vulnerability scanners that are dedicated to testing websites and applications, then you haven't properly tested your web environment.
- Running a single web vulnerability scanner is not enough.
As much as it can hurt the budget and complicate the process, it's the truth. I have found time and again that you simply cannot rely on the results of just one tool. There's often some overlap, but different web vulnerability scanners tend to find many different things; it's frustrating, but also something we must work with.
I haven't been able to pinpoint why this occurs, but I have learned that some scanners are just better at certain things than others. For example, some have nearly perfected the process of uncovering cross-site scripting, while some are much better at finding and exploiting SQL injection or even at testing .NET-based applications. Other scanners are better at looking at Java or PHP-based systems. Since they all have nuances, you should try out different scanners and see which best matches your specific environment.
- Testing a website or application from just one perspective is inadequate. Although web vulnerability scanner vendors provide you with the option to do unauthenticated and authenticated testing, in my opinion, you really need to do both.
Many people take the path of least resistance by simply doing unauthenticated testing. However, testing from the internet without authentication will provide one set of results, and testing with user authentication will provide yet another set of results. Likewise, testing with different user roles can provide entirely different outcomes, and testing while whitelisted on your firewall, intrusion prevention system or web application firewall can also uncover new things.
If you're going to uncover all of the security issues that you can, you have to approach your web testing from all possible angles. Criminal hackers don't leave anything on the table, and neither should you.
- False positives are still a problem. It's a fact of life -- not just with web vulnerability scanners, but also with other security tools, including basic port scanners. With results all over the map, including false negatives or missed vulnerabilities, you cannot proclaim that you know the true status of your web application environment by running scans alone. You have to be the expert with the final say regarding whether or not something is a problem or if it was missed altogether.
Since web vulnerability scanners are not going to find every vulnerability -- or even half of them -- not only do I use scanners to find the flaws that I would never otherwise find, but I also have a set of criteria that I use to check web login mechanisms, account management, and business workflows or logic. I may be wrong, but I can't imagine that any web vulnerability scanner will ever be smart enough to test for these things. Manual testing is a must.
- You're not going to know half of what the scanner can do until you dig deeper. The process of digging deeper requires knowledge and resources from your web vulnerability scanner vendor, as well as YouTube channels, blogs, tech support and good old-fashioned documentation. Things that would otherwise take you years to figure out can be learned within hours of perusing online resources -- use them to your advantage.
- After you run enough web vulnerability scans, you'll see the pros and cons of each tool, along with the quirks that you have to endure to get your work done.
Vendors often stay silent about it, so it's a little-known fact, but, if you provide them with feedback on how the tool isn't working in the best interests of its users, they'll usually listen. Odds are good that if the issue is relevant enough, you'll see your own feedback enhance new features in the product. I've witnessed this myself, and it's pretty cool.
I don't want to downplay the value of web vulnerability scanners, as we are better off with them. These tools have helped me tremendously in my work in terms of finding flaws that I'm not smart enough -- or don't have enough time -- to uncover. People who don't use them periodically and consistently over time as part of their development lifecycle and vulnerability management program are truly missing out.
Try several scanners, find the best fit and use at least two of them. If you combine this approach with the above tips and ensure quick remediation efforts, then you'll have addressed the 20% of the web security flaws that are creating 80% of your challenges -- a small price to pay for such a huge return.