BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

The Importance of Web Application Scanning

Posted August 23, 2010    Morey Haber

The art of hacking a computer, operating system, and application has evolved over time. What was once seen as relatively simple hacks have been suppressed due to various intrusion prevention mechanisms developed by network security companies. Breaching a company’s perimeter to gain direct unauthorized access to an organization’s network is not as simple as it used to be…or as simple as some people think. Modern networks include multiple firewalls, network vulnerability assessment scanners, intrusion prevent products, and endpoint protection solutions all defending critical infrastructure. Restricted by these defenses, hackers have been aggressively testing other ways to breach corporate and government networks.

Even with the best security plans and technology, hackers have identified holes in the most common infrastructure, one of which until relatively recently, organizations did not consider: Web Applications. According to The Web Application Security Consortium 99% of web application are not compliant with PCI DSS standard requirements, and 48% of web applications are not compliant with criteria of ASV scanning by PCI DSS. By design, many web applications are publicly available on the internet and are designed to market and service business transactions for organizations and fall under these regulations. This provides hackers with direct and easy access to your business, and provides virtually unlimited attempts for them to test their hacks against your application. Since the revolution of using the internet for conducting business, organizations have been able to connect seamlessly with suppliers, customers and other business related associates. This has now left many applications exposed to a plethora of previously unknown security risks such as SQL Injection, Cross Site Scripting etc.

Web applications are now one of the biggest threats to an organizations security. Inherently they are much more difficult to defend versus traditional applications that benefit from the security infrastructure that has been already deployed. In order to detect and properly defend against web application threats you must first have the capability to identify these vulnerabilities. This includes performing web application vulnerability assessment scanning.

By definition, web application scanner is an automated vulnerability assessment solution that crawls a website (either automatically or has been trained) looking for vulnerabilities within web apps. The solution analyzes all web pages and files that it finds, and builds a structure of the entire website. The scanner then performs automated checks against security vulnerabilities by launching a series of common web attacks and analyzes the results for vulnerabilities.

Considering the overall process, and complexity of modern web applications, here are a few important features to consider:

  • The ability to crawl a website regardless of technology and analyze the results.
  • Merge traditional (operating system and application) and web application vulnerability assessment data in one report to reveal the current overall security posture for a system.
  • Provide reports with actionable details such that administrators and developers can correct the flaws in a timely manner

The best way to identify web application security threats is to perform web application vulnerability assessment. The importance of these threats could leave your organization exposed if they are not properly identified and mitigated. Therefore, implementing a web application scanning solution should be of paramount importance for your organizations security plans in the future.

For additional information, read Chris Silva’s blog regarding Mass Infection via SQL Injection and how web application vulnerability scanning can protect you from such thing: Mass Infection via SQL Injection

Tags:
, , ,

Leave a Reply

Additional articles

Dark Reading

2014: The Year of Privilege Vulnerabilities

Posted December 18, 2014    Chris Burd

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of “least privilege” could limit the impact of malware and raise the bar of difficulty for attackers.

Tags:
, , , , ,
dave-shackleford-headshot

Looking back on information security in 2014

Posted December 16, 2014    Dave Shackleford

Dave Shackleford is a SANS Instructor and founder of Voodoo Security. Join Dave for a closer look at the year in security, and learn what you can do to prepare for 2015, with this upcoming webinar. 2014 has been one heck of an insane year for information security professionals. To start with, we’ve been forced…

Tags:
, ,
patch-tuesday

December 2014 Patch Tuesday

Posted December 9, 2014    BeyondTrust Research Team

This month marks the final Patch Tuesday of 2014. Most of what is being patched this month includes Internet Explorer, Exchange, Office, etc… and continues a trend of the greatest hits collection of commonly attacked Microsoft software. Probably the one thing that broke the mold this month is that for once there is not some…

Tags:
,