News Stay informed about the latest enterprise technology news and product updates.

Researchers aim to smarten Web application security scanners

Adding the "human element" to scanners could help pen testers evaluate a larger portion of an application's attack surface, according to two researchers at SOURCE Boston 2010.

BOSTON -- Two application security experts are working on a way to improve the testing of Web applications by incorporating...

application data flow maps and other information typically used by software quality assurance testers. 

"The more complex Web apps get, the less effective automation becomes unless we do something. This is that something."
Rafal Los, Senior Web Security Specialist, Hewlett-Packard

Rafal Los and Matt Wood of Hewlett-Packard Co.'s Web Security Research Group presented a set of new testing processes Wednesday at SOURCE Boston 2010. They said the new processes they proposed are currently far too complicated to implement, but will eventually be incorporated in an automated tool.

"We're trying to take the human element and move it more into the scanners," Wood said.

For far too long, penetration testers hunting for vulnerabilities in Web applications have been losing ground. Web application security scanners have improved the time to detect and identify the location of bugs in JavaScript, AJAX and other modern coding techniques, but more sophisticated applications results in far less attack surface being tested, Los said.

"Security analyst tools today aren't equipped properly to test highly complex applications," Los said. "The more complex Web apps get, the less effective automation becomes unless we do something. This is that something." 

Web application security:

Web application attacks security guide: Preventing attacks and flaws: This guide explains how Web application attacks occur, identifies Web application attacks, and provides Web application security tools and tactics to protect against them.

Podcast: OWASP revises Top 10 List, adds risk factors Jeff Williams, a co-author of the OWASP Top 10 List, explains some of the changes incorporated into the latest version. The list was updated for the first time in 3 years.

The two researchers developed what they call an execution-flow-based approach to application security testing. They use data from QA testers to fully map the Web application's attack surface to better understand how an application functions and more importantly, how data flows through it. Once security testers have the data, they could quickly drill down into a particular area and identify vulnerabilities that pose more risk, Los said.

"QA teams generally know the app; they test for known stuff that is supposed to be there," Los said. "They can tell you that they covered the entire application -- all the functionality."

The researchers call their processes a radical testing methodology in which data requirements and functional paths are used to create an execution-flow diagram to understand the key business logic of an application. The process will result in function-based automated testing. The technique helps testers identify actions that change the application's document flow or actions that could change the state of the application. Indirect flows, external data that can modify the document state, are also incorporated. 

For example, in a payment page, "when a user selects American Express or Visa a QA guy will know the user's selection results in a different action within the application," Wood said. "The scanners are not going to know." Since a scanner can only identify errors in a small portion of the attack surface, feeding them application flow data could help "smarten" the Web application scanner and improve the overall test.

Using flow-based threat analysis, pen testers can determine that two vulnerabilities in an area of an app that handle credit cards should take a higher priority than vulnerabilities in a product viewing area. The processes could also help boost the credibility of security testers, the researchers said. Security teams typically are given an application to test in a very short time frame.

"If you have 24 hours and 2.5 million lines to functionally test, how are you going to get that done?" Los asked.

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.