Home » Data Protection » Application Security

How to Evaluate (and Use) Web Application Security Scanners

Specialized application penetration testing tools and services can help keep websites from serving as a front door for hackers and malware

It’s also optimal for the tool or service to export results directly to a static source code scanning tool. That’s because while Web application testing tools can tell you what kind of vulnerability you have, they don’t pinpoint the exact location in the code where the problem lies. “Detecting vulnerability is 50 percent of the job,” Fieman says. “You have to close the loop.”

Evaluation Criteria

According to Gartner, there are almost no dramatic differences between vendors’ scanning technology principles; differentiation lies among vendors’ ability to do the following:

Tightly integrate with software development and production processes and platforms.
Manage and report across multiple deployed scanners.
Scale to different size environments.
Provide features and services beyond scanning, such as source code scanning; Sox, HIPAA and other compliance analyses; automatic vulnerability fixing; hosting services; training; assistance in process design; and consulting in the adoption of security into the SDLC process.
Gartner adds the following technological criteria to consider:
Vulnerability detection and corrective analysis. Vulnerabilities should be reported, and suggestions for correction should be made in a language that developers can understand. The scanner should identify the relevant webpage and URL where the vulnerability was detected. False positives must be low.
Continuous and prompt update of the vulnerability database. Because new attacks appear over time, vendors must keep a database of all known vulnerabilities and promptly update it with new vulnerabilities as part of the standard maintenance contract. A metadata repository would help in analyzing vulnerabilities and remedies.
Reporting and analysis. The tool should aid in classifying detected vulnerabilities and rating them according to their severity. In addition, detailed explanations of vulnerabilities, suggested solutions, and linkage to existing patches and patterns should be available. Reports should cater to application developers and security professionals of different levels.
Ease of use by nonsecurity experts.
Protocol support. Most scanners use only HTML and HTTP to probe Web-enabled applications. However, it broadens usability when other protocols are supported, such as SOAP, SNA, LU 6.2, RPC and RMI.
The tool should support common Web server platforms, such as IIS and Apache, as well as hosted functionality in the form of ASP, JSP and ASP.NET.

Dos and Don’ts

DO make sure your company is ready to make a real investment not just in the tool, but also in training, staffing and developing robust processes around finding and fixing vulnerabilities. “The main weakness I see is companies that feel they can take the product, point it at their applications and get the same wealth of information they could get if they did manual or highly assisted testing,” Kelley says. “You have to educate your testers on how to test, and they need time to work with and configure and use some of the add-ons provided to assist the process.”