BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

The Importance of Web Application Scanning

Posted August 23, 2010    Morey Haber

The art of hacking a computer, operating system, and application has evolved over time. What was once seen as relatively simple hacks have been suppressed due to various intrusion prevention mechanisms developed by network security companies. Breaching a company’s perimeter to gain direct unauthorized access to an organization’s network is not as simple as it used to be…or as simple as some people think. Modern networks include multiple firewalls, network vulnerability assessment scanners, intrusion prevent products, and endpoint protection solutions all defending critical infrastructure. Restricted by these defenses, hackers have been aggressively testing other ways to breach corporate and government networks.

Even with the best security plans and technology, hackers have identified holes in the most common infrastructure, one of which until relatively recently, organizations did not consider: Web Applications. According to The Web Application Security Consortium 99% of web application are not compliant with PCI DSS standard requirements, and 48% of web applications are not compliant with criteria of ASV scanning by PCI DSS. By design, many web applications are publicly available on the internet and are designed to market and service business transactions for organizations and fall under these regulations. This provides hackers with direct and easy access to your business, and provides virtually unlimited attempts for them to test their hacks against your application. Since the revolution of using the internet for conducting business, organizations have been able to connect seamlessly with suppliers, customers and other business related associates. This has now left many applications exposed to a plethora of previously unknown security risks such as SQL Injection, Cross Site Scripting etc.

Web applications are now one of the biggest threats to an organizations security. Inherently they are much more difficult to defend versus traditional applications that benefit from the security infrastructure that has been already deployed. In order to detect and properly defend against web application threats you must first have the capability to identify these vulnerabilities. This includes performing web application vulnerability assessment scanning.

By definition, web application scanner is an automated vulnerability assessment solution that crawls a website (either automatically or has been trained) looking for vulnerabilities within web apps. The solution analyzes all web pages and files that it finds, and builds a structure of the entire website. The scanner then performs automated checks against security vulnerabilities by launching a series of common web attacks and analyzes the results for vulnerabilities.

Considering the overall process, and complexity of modern web applications, here are a few important features to consider:

  • The ability to crawl a website regardless of technology and analyze the results.
  • Merge traditional (operating system and application) and web application vulnerability assessment data in one report to reveal the current overall security posture for a system.
  • Provide reports with actionable details such that administrators and developers can correct the flaws in a timely manner

The best way to identify web application security threats is to perform web application vulnerability assessment. The importance of these threats could leave your organization exposed if they are not properly identified and mitigated. Therefore, implementing a web application scanning solution should be of paramount importance for your organizations security plans in the future.

For additional information, read Chris Silva’s blog regarding Mass Infection via SQL Injection and how web application vulnerability scanning can protect you from such thing: Mass Infection via SQL Injection

Tags:
, , ,

Leave a Reply

Additional articles

flash-logo

Adobe Patches Zero-Day Flaw Being Exploited in the Wild

Posted January 22, 2015    BeyondTrust Research Team

Earlier this week, French malware researcher Kafeine reported on a new Adobe Flash zero-day vulnerability that was being exploited in the wild using the latest versions of the Angler Exploit Toolkit. “Any version of Internet Explorer or Firefox with any version of Windows will get owned if Flash up to 16.0.0.287 (included) is installed and enabled”…

Tags:
, , , , ,

Your Data Security Strategy Starts with Deploying a Least Privilege Model (part 2 of 2)

Posted January 22, 2015    Scott Lang

In last week’s blog, we talked about how controls and accountability must be put into place so that only the right folks can access data and the systems on which that data resides, and that employing a least privilege model helps to achieve that and more. We’re using conclusions and data from a recent report…

Tags:
, , , ,
Larry-Brock-CISO

Basic Blocking and Tackling for Defending Against Advanced Targeted Attacks

Posted January 22, 2015    Larry Brock

With football season at its pinnacle at both the college and professional levels, the best teams continually focus on the fundamentals that make them successful. In security, we need to do the same.  It is okay for us to have a few key plays, especially in certain industries where we have to focus on unique…

Tags:
, , , , ,