BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

The Importance of Web Application Scanning

Posted August 23, 2010    Morey Haber

The art of hacking a computer, operating system, and application has evolved over time. What was once seen as relatively simple hacks have been suppressed due to various intrusion prevention mechanisms developed by network security companies. Breaching a company’s perimeter to gain direct unauthorized access to an organization’s network is not as simple as it used to be…or as simple as some people think. Modern networks include multiple firewalls, network vulnerability assessment scanners, intrusion prevent products, and endpoint protection solutions all defending critical infrastructure. Restricted by these defenses, hackers have been aggressively testing other ways to breach corporate and government networks.

Even with the best security plans and technology, hackers have identified holes in the most common infrastructure, one of which until relatively recently, organizations did not consider: Web Applications. According to The Web Application Security Consortium 99% of web application are not compliant with PCI DSS standard requirements, and 48% of web applications are not compliant with criteria of ASV scanning by PCI DSS. By design, many web applications are publicly available on the internet and are designed to market and service business transactions for organizations and fall under these regulations. This provides hackers with direct and easy access to your business, and provides virtually unlimited attempts for them to test their hacks against your application. Since the revolution of using the internet for conducting business, organizations have been able to connect seamlessly with suppliers, customers and other business related associates. This has now left many applications exposed to a plethora of previously unknown security risks such as SQL Injection, Cross Site Scripting etc.

Web applications are now one of the biggest threats to an organizations security. Inherently they are much more difficult to defend versus traditional applications that benefit from the security infrastructure that has been already deployed. In order to detect and properly defend against web application threats you must first have the capability to identify these vulnerabilities. This includes performing web application vulnerability assessment scanning.

By definition, web application scanner is an automated vulnerability assessment solution that crawls a website (either automatically or has been trained) looking for vulnerabilities within web apps. The solution analyzes all web pages and files that it finds, and builds a structure of the entire website. The scanner then performs automated checks against security vulnerabilities by launching a series of common web attacks and analyzes the results for vulnerabilities.

Considering the overall process, and complexity of modern web applications, here are a few important features to consider:

  • The ability to crawl a website regardless of technology and analyze the results.
  • Merge traditional (operating system and application) and web application vulnerability assessment data in one report to reveal the current overall security posture for a system.
  • Provide reports with actionable details such that administrators and developers can correct the flaws in a timely manner

The best way to identify web application security threats is to perform web application vulnerability assessment. The importance of these threats could leave your organization exposed if they are not properly identified and mitigated. Therefore, implementing a web application scanning solution should be of paramount importance for your organizations security plans in the future.

For additional information, read Chris Silva’s blog regarding Mass Infection via SQL Injection and how web application vulnerability scanning can protect you from such thing: Mass Infection via SQL Injection

Tags:
, , ,

Leave a Reply

Additional articles

red-thumbprint

Why big data breaches won’t always be so easy

Posted September 19, 2014    Byron Acohido

This blog post is republished with the permission of ThirdCertainty. See the original post here. – Why big data breaches won’t always be so easy By: Byron Acohido, Editor-In-Chief, ThirdCertainty Some day, perhaps fairly soon, it will be much more difficult for data thieves to pull off capers like the headline-grabbing hacks of Home Depot and Target….

Tags:
, , , , ,
pbps-blog2

8 Reasons Your Privileged Password Management Solution Will Fail

Posted September 18, 2014    Chris Burd

Leveraging complex, frequently updated passwords is a basic security best practice for protecting privileged accounts in your organization. But if passwords are such a no-brainer, why do two out of three data breaches tie back to poor password management? The fact is that not all privileged password management strategies are created equal, so it’s critical…

Tags:
, , , , , ,
pbps-customer-campaign-image

You Change Your Oil Regularly; Why Not Your Passwords?

Posted September 11, 2014    Chris Burd

There are many things in life that get changed regularly:  your car oil, toothbrush and hopefully, your bed sheets.  It’s rare that you give these things much thought – even when you forget to change them. But what if you’re forgetting something that can cost you millions of dollars if left unchanged for long periods…

Tags:
, , ,