When asked what is my recommended web application security solution I
always recommend web vulnerability scanners, or as also known web application security scanners.
In theory, if the budget permitted, I would also train the developers,
use source code analyzers and implement a web application firewall.
But in reality funds are limited so most of the time you have to
choose one solution, or two at max. Hence if I had to choose a single
solution, I would go for an automated web application security scanner.
WAFs – An Additional Layer of Security and Attack Surface
Web application firewalls
are a good solution but they have their own shortcomings. Many security
experts have published vulnerability advisories and whitepapers about
bypassing web application firewalls. For example a few months back
security professional Rafay Baloch bypassed Sucuri’s online web application firewall, which is considered to be one of the best managed online WAFs, protecting thousands of websites.
Therefore WAFs are nice to have as an additional layer of security
but they are also an additional attack surface. The security of your
websites and web applications shouldn’t solely depend on a web
application firewall.
Training Developers – Humans are Prone to Making Mistakes
Developers are humans, and like everyone else even after years of
training they are still susceptible to making mistakes. Training will
help build better and more secure products but we should never solely
rely on the human factor for the security of a web application. We
should also use the technology and tools available on the market.
Source Code Analyzers – As Good As The Definitions
Automated source code analyzers are a good solution though they tend
to have a number of shortcomings. They tend to report a lot of false
positives and also miss a lot of vulnerabilities (false negatives)
especially if a new vulnerability is discovered in an external component
or if the analysis tool does not have the knowledge of the runtime
environment (definition files).
Web Security Scanners – Emulate Real Live Malicious Attackers
Malicious hackers use automated software and scripts to scan wide
ranges of websites for vulnerabilities and security flaws they could
exploit. Hence by using a web application security scanner you are
actually emulating real live attackers. And there is no better way to
secure web applications than by emulating the attackers and use the same
tools that they use, or similar ones.
Also automated web application security scanners
are heuristic, hence they do not simply rely on definition files such
as antivirus softrware. That is why they are quite good at uncovering
vulnerabilities in custom built web applications which are frequently
targetted by attackers.
Identifying the Real Threats
All of the different security solutions have their shortcomings, but
as we have just seen automated web application security scanners are the
tools you have to use if you want to emulate attackers. Also,
statistics show us that scanners are the way forward.
For example both SQL Injection and Cross –site scripting (XSS) vulnerabilities have been in the OWASP Top 10
list since it started because they are the most commonly exploited
direct impact vulnerabilities. And automated web security scanners are
built specifically for that purpose; to automatically identify these
types of technical vulnerabilities quickly and automatically. Which
security solution do you use?
Source: http://it.toolbox.com/
Comments
Post a Comment