Home » Data Protection » Application Security

How to Evaluate (and Use) Web Application Security Scanners

Specialized application penetration testing tools and services can help keep websites from serving as a front door for hackers and malware

DON’T expect developers to love the tool right away. Many developers have been blissfully ignorant of Web application security elements and are either embarrassed, insulted or just not interested in what these tools reveal. “One of the biggest pain points was getting people to accept the seriousness involved with this,” says the security manager at the healthcare organization. It took his organization a year and a half to get developers to adopt the tools.

DO realize the limitations of these tools. Some people want to believe that if the tools don’t find a problem, they’re home free, says Gary McGraw, CTO at security consultancy Cigital. “But the only thing it can tell you is you don’t have these [specific] problems,” he says. “If they had a list of all possible security problems ever in the history and future of the planet, that would be a great thing, but that’s impossible.” That’s why McGraw famously called these tools “badness-ometers”—they can tell you when your code is bad, but they can’t tell you that your code is lock-tight secure. Not that the tools don’t have value, McGraw says; they do shorten the testing cycle considerably, but humans are often needed to validate that a problem exists.

DON’T think one tool will find every problem. At the healthcare organization, “We’ve found vulnerabilities with SPI that WhiteHat didn’t and vice versa,” the manager says.

DO realize that security is not a one-time event. Because Web applications are ever-changing, they must be tested continuously to ensure no new vulnerabilities have been introduced, Burton Group’s Kelley says. Even OWASP continuously changes its top 10 guidelines. Heneghan scans his organization’s Web applications once a month. The healthcare organization security manager warns it can take one or two days to crawl through all his firm’s applications and produce an analysis.

This article appeared in CSO Magazine as "Patching the Holes in Web Application Security". Mary Brandel is a freelance writer. Send feedback to csoletters@cxo.com.