Home » Data Protection » Application Security

How to Evaluate (and Use) Web Application Security Scanners

Specialized application penetration testing tools and services can help keep websites from serving as a front door for hackers and malware

Similarly, Andre Hiotis, technology security officer at NAV Canada, purchased IBM's Rational AppScan [editor's note: corrected] more than a year ago and is only now putting it on developers’ desktops to use themselves, at their request. If he’d given it to them at the get-go, he says, they would have been overwhelmed by all the information it produced. As it is, his team has had time to learn the tool and can now provide assistance to the developers when they use it. Security staff is also better equipped to prioritize and edit the tool’s voluminous reports and will continue to provide that service. “If the developers saw 100 things needed to be fixed, they couldn’t judge which were high, medium or low risk,” Hiotis says.

2) Service or tool (or both)? You can buy the tool and dedicate resources to building a robust testing capability, or have a vendor scan your Web applications remotely, validate the findings and produce a focused report. Most leading vendors now offer both options, except WhiteHat, which offers only a service-based solution. “Many companies wish to perform their own testing in-house, for control, management and privacy purposes, but there’s a large and growing market for scanning services,” Kelley says.

And some organizations are choosing to use both. The manager of information security at a large healthcare organization (who declined to be identified), for instance, temporarily halted the use of WebInspect when he found he didn’t have the staff resources to manage the volumes of data it produced. “You need human intelligence to eliminate the false positives and get a complete analysis of where the vulnerabilities lie,” he says. He turned to WhiteHat for help interpreting the results and working with developers to fix problems.

After a year of becoming accustomed to the service, he’s now expanding the use of his original tool and is planning to take a three-tiered approach. Developers will test coding and compilations on the fly with WebInspect, and then security staff will run a second scan with that tool. On the third pass, they’ll push the application out to the Internet and have WhiteHat run a test.

3) How will you integrate? These tools operate best when they are integrated—either natively or through an application programming interface (API)—with other systems used by developers and the QA team. These include QA and testing tools, as well as content management, project management and

scheduling tools, so the scan results can be tracked and fixed like any other code defect. They should also tightly integrate with SDLC platforms such as Microsoft Visual Studio, so that, ideally, developers could run a scan from their desktop, using an interface similar to their development tool’s.