Our organization has tons of Internet-facing Web applications with custom code, and we don't have a formal application...
security testing program. I don't see that changing anytime soon. What's the best way to test the security of Web applications without spending a lot of (or any) money?
There are plenty of open source and low-cost resources that can be used to test the security of Web applications, though security teams will need time to learn exactly how to best use them and how to complete a full scan of all of an enterprise's Web applications.
Vega is a free and open source Web application scanner and testing platform that runs on Linux, OS X and Windows. It includes an automated scanner for quick tests and an intercepting proxy to inspect HTTP requests and responses. Like most Web application scanners, it will help find SQL injection and cross-site scripting vulnerabilities -- the two main flaws exploited by hackers.
Wapiti is another open source tool that scans the pages of a Web application, looking for scripts and forms to test for various injection-based vulnerabilities. Another free Web application scanner, Skipfish, works slightly differently as it generates an interactive site map annotated with the results of a number of security checks, allowing security teams to prioritize where more detailed analysis is needed. Netsparker offers a free Community Edition of its scanner, and Websecurify is a mix-and-match suite of cross-platform Web application security testing tools which is charged on a monthly basis.
The main disadvantage of vulnerability scanners is that they can only be used once the application is built. Once an application is live, it is a race to find exploitable vulnerabilities before hackers do. Known vulnerabilities will be quickly found and exploited, so a more sustainable long-term approach to building robust applications is often needed. Training developers to code securely has shown to greatly reduce the number of serious flaws that creep into an application as it is developed. You can find out what your enterprise's developers do and don't know about application security with the free quiz tool Secure Coder Analytics.
According to Aspect Security, Inc., authentication and session management risks affect 93% of applications and are topics (along with input validation, encoding, sensitive data protection and access control) that developers must fully understand before they start working on an application. Using a common set of controls throughout all applications (such as the OWASP Enterprise Security API, an open source Web application security control library), will make it easier for programmers to correctly implement security checks and controls like input validation, output encoding and encryption.
While automated tools can help reduce the vulnerability count, the complexity of modern Web applications makes it harder for these tools to find every issue. Static analysis and penetration testing are important for identifying often more serious risks. A Web application firewall can provide a layer of security, but if the underlying application is flawed, then it is not a long-term solution.
There is no quick fix to securing a Web application, as all tools and checks require considerable human expertise in order to get good results. Building Web applications without a suitable security budget puts sensitive company and customer data at risk, and puts the business in breach of various standards depending on the regulatory environment in which it operates.
Ask the Expert!
Have a question for application security expert Michael Cobb? Send it via email today! (All questions are anonymous.)
Dig Deeper on Web application and API security best practices
Related Q&A from Michael Cobb
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading