Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Cost-effective Web application security testing

Expert Michael Cobb discusses numerous open source and low-cost Web application security testing options for enterprises on a budget.

Our organization has tons of Internet-facing Web applications with custom code, and we don't have a formal application...

security testing program. I don't see that changing anytime soon. What's the best way to test the security of Web applications without spending a lot of (or any) money?

There are plenty of open source and low-cost resources that can be used to test the security of Web applications, though security teams will need time to learn exactly how to best use them and how to complete a full scan of all of an enterprise's Web applications.

Vega is a free and open source Web application scanner and testing platform that runs on Linux, OS X and Windows. It includes an automated scanner for quick tests and an intercepting proxy to inspect HTTP requests and responses. Like most Web application scanners, it will help find SQL injection and cross-site scripting vulnerabilities -- the two main flaws exploited by hackers.

Wapiti is another open source tool that scans the pages of a Web application, looking for scripts and forms to test for various injection-based vulnerabilities. Another free Web application scanner, Skipfish, works slightly differently as it generates an interactive site map annotated with the results of a number of security checks, allowing security teams to prioritize where more detailed analysis is needed. Netsparker offers a free Community Edition of its scanner, and Websecurify is a mix-and-match suite of cross-platform Web application security testing tools which is charged on a monthly basis.

The main disadvantage of vulnerability scanners is that they can only be used once the application is built. Once an application is live, it is a race to find exploitable vulnerabilities before hackers do. Known vulnerabilities will be quickly found and exploited, so a more sustainable long-term approach to building robust applications is often needed. Training developers to code securely has shown to greatly reduce the number of serious flaws that creep into an application as it is developed. You can find out what your enterprise's developers do and don't know about application security with the free quiz tool Secure Coder Analytics.

According to Aspect Security, Inc., authentication and session management risks affect 93% of applications and are topics (along with input validation, encoding, sensitive data protection and access control) that developers must fully understand before they start working on an application. Using a common set of controls throughout all applications (such as the OWASP Enterprise Security API, an open source Web application security control library), will make it easier for programmers to correctly implement security checks and controls like input validation, output encoding and encryption.

While automated tools can help reduce the vulnerability count, the complexity of modern Web applications makes it harder for these tools to find every issue. Static analysis and penetration testing are important for identifying often more serious risks. A Web application firewall can provide a layer of security, but if the underlying application is flawed, then it is not a long-term solution.

There is no quick fix to securing a Web application, as all tools and checks require considerable human expertise in order to get good results. Building Web applications without a suitable security budget puts sensitive company and customer data at risk, and puts the business in breach of various standards depending on the regulatory environment in which it operates.

Ask the Expert!
Have a question for application security expert Michael Cobb? Send it via email today! (All questions are anonymous.)

This was last published in August 2014

Dig Deeper on Web application and API security best practices

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Whether you’re on a tight budget or not, these tools can be used by developers and testers to move application security testing earlier in the development process, before the bigger, more expensive tools would normally be brought in. We’ve seen the same thing happen with load/performance testing, and it’s made a tremendous difference in our final products.
WAPITI in particular is a very interesting tool.  You might also want to check the OWASP site as some tools are provided there that may help.
Why budget is the problem here? If the business is not inclined to pay for exploring these risks maybe they deem those risks not important?
It's great that we have free tools but at times I'm just sad to see testers trying too hard to justify the value of their work.