Wednesday, July 15, 2009

Web vulnerability scanning

I regularly review firewall configurations to figure out what incoming connections we allow, other than web access. In the course of the last 5 years or so, it has become abundantly clear that there had better be a very good reason for anything that is not web to be still exposed directly to the Internet. As more obscure protocols become less used, it becomes harder to retain experienced administrators who really know what they are talking about, and as a result, securing those protocols becomes much harder.



Which the advent of 'everything over the web', new challenges have emerged. Secure application development, web content filtering (inbound and outbound), web application firewalls, specialized intrusion detection systems, etc. are all important tools to have, but, in the end, all those tools must be configured, maintained and tested also.



As a result, requiring regular vulnerability scans is an important tool to not only detect problems in the application, but also to test all the controls that protect the information that is manipulated by it. Penetration testing to assess the potential impact of the vulnerabilities that were discovered would sometimes be the logical next step.



There are roughly two types of vulnerability scans: manual scans and automated scans. Manual scans, if conducted by a highly skilled individual with enough time, will find things that you would not have even dreamed about. A major drawback is that they are (very) costly and the outcome of the scan is highly dependent on the person conducting it. Automated scans are relatively cheap, can run consistently and continuously and they are thorough. The drawback of automatic scanning is that they will only find vulnerabilities that were previously known and have been implemented in the scan tool's logic.



There are some solutions out there that take a hybrid approach to vulnerability scanning. They perform an automated scan, which is supported by human experts who manually verify the  results in order to avoid false positives. Human testers will also be much more qualified to detect business logic flaws than automated scans can.

The automatic scans will detect of the vast majority of the problems, which allows the human expert to concentrate on the more interesting stuff.



One vendor that offers this service is WhiteHat Security through their Sentinel product. I have been working with Sentinel for a few weeks now, and my impression that our developers had things fairly well under control was confirmed. Yet, Sentinel also found a number of vulnerabilities that I had no idea were present on our web presence. The WhiteHat staff is very responsive to inquiries and I am a very happy customer. The price tag is reasonable; a full year of continuous scanning will amount to roughly the same price tag as a once-off scan of a medium-sized site conducted by a human tester.



If you are in the market for a hybrid web application vulnerability scanner, you should check out WhiteHat's offering.



No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.