Toolbox

How to Evaluate (and Use) Web Application Security Scanners

Specialized application penetration testing tools and services can help keep websites from serving as a front door for hackers and malware

By Mary Brandel

March 03, 2008 — CSO — Traditionally—if such a word can apply to the rapidly morphing digital world—companies have secured their web applications by guarding the perimeter with Web firewalls. However, the ever-growing realization is that the real vulnerability lies in the Web applications themselves, which often contain easily exploited security flaws. According to consultancy Gartner, 90 percent of externally accessible applications today are Web-enabled, and two-thirds of them have exploitable vulnerabilities.

That’s where Web application penetration testing tools and services come in. Diana Kelley, VP and service director at Burton Group, says these tools and services conduct automated scans of Web applications that are either in production or just prior to going live, applying threat models and misuse cases to unearth common vulnerabilities. Some of the top 10 flaws defined by the Open Web Application Security Project (OWASP), including SQL injection, cross-site scripting and improper error handling, were until quite recently alien concepts to a lot of people, including developers. In some cases, the tools provide suggested parameters for how to fix these types of problems. (For more about web application vulnerability awareness and its effect on security research, see The Chilling Effect.)

Today, Web penetration testing is considered a key component in ensuring application security, which has become an essential part of enterprise risk management, Kelley says. Or as Joseph Fieman, analyst at Gartner, puts it, “It’s coming down to a race between you and the hackers. Either you use [penetration testing] or the hackers will do it for you.”

According to Gartner, enterprises considering these tools and services should expect substantial market and product consolidation. Acquisitions are likely among the major software development lifecycle (SDLC) platform providers and security vendors, Fieman says. Already the quality-assurance divisions of two heavyweights, Hewlett-Packard and IBM, have bought into the market (acquiring SPI Dynamics and Watchfire, respectively).

Here is advice from CISOs and analysts on how to evaluate and use these tools and services.

Key Decisions

1) Who’s going to use it? Assigning responsibility for securing Web applications isn’t always a straightforward task. It’s a new concept for development groups and QA teams, and security groups are more accustomed to network issues than application issues. So who does the job? According to Fieman, it’s awkward for security specialists to scan the application and forward the results to developers. But that’s exactly what many companies do, at least until the developers accept the idea of using the tools.

Phil Heneghan, chief information security officer at USAID, for instance, has shouldered the responsibility for Web application security, believing it’s ultimately his job to secure the enterprise and that it’s better to have someone other than the application creators assess its vulnerabilities. “You could end up with a rose-colored picture if the developer says, Don’t worry; I checked it, and it’s fine,” he says.

• Email
• Print
• Comments
• Digg This
• SlashDot

• Security: Penetration Testing
• Industry View: Web Application Security Today - Are We All Insane?
• Eyeballing the Security of Application Service Providers