BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

The Importance of Web Application Scanning

Posted August 23, 2010    Morey Haber

The art of hacking a computer, operating system, and application has evolved over time. What was once seen as relatively simple hacks have been suppressed due to various intrusion prevention mechanisms developed by network security companies. Breaching a company’s perimeter to gain direct unauthorized access to an organization’s network is not as simple as it used to be…or as simple as some people think. Modern networks include multiple firewalls, network vulnerability assessment scanners, intrusion prevent products, and endpoint protection solutions all defending critical infrastructure. Restricted by these defenses, hackers have been aggressively testing other ways to breach corporate and government networks.

Even with the best security plans and technology, hackers have identified holes in the most common infrastructure, one of which until relatively recently, organizations did not consider: Web Applications. According to The Web Application Security Consortium 99% of web application are not compliant with PCI DSS standard requirements, and 48% of web applications are not compliant with criteria of ASV scanning by PCI DSS. By design, many web applications are publicly available on the internet and are designed to market and service business transactions for organizations and fall under these regulations. This provides hackers with direct and easy access to your business, and provides virtually unlimited attempts for them to test their hacks against your application. Since the revolution of using the internet for conducting business, organizations have been able to connect seamlessly with suppliers, customers and other business related associates. This has now left many applications exposed to a plethora of previously unknown security risks such as SQL Injection, Cross Site Scripting etc.

Web applications are now one of the biggest threats to an organizations security. Inherently they are much more difficult to defend versus traditional applications that benefit from the security infrastructure that has been already deployed. In order to detect and properly defend against web application threats you must first have the capability to identify these vulnerabilities. This includes performing web application vulnerability assessment scanning.

By definition, web application scanner is an automated vulnerability assessment solution that crawls a website (either automatically or has been trained) looking for vulnerabilities within web apps. The solution analyzes all web pages and files that it finds, and builds a structure of the entire website. The scanner then performs automated checks against security vulnerabilities by launching a series of common web attacks and analyzes the results for vulnerabilities.

Considering the overall process, and complexity of modern web applications, here are a few important features to consider:

  • The ability to crawl a website regardless of technology and analyze the results.
  • Merge traditional (operating system and application) and web application vulnerability assessment data in one report to reveal the current overall security posture for a system.
  • Provide reports with actionable details such that administrators and developers can correct the flaws in a timely manner

The best way to identify web application security threats is to perform web application vulnerability assessment. The importance of these threats could leave your organization exposed if they are not properly identified and mitigated. Therefore, implementing a web application scanning solution should be of paramount importance for your organizations security plans in the future.

For additional information, read Chris Silva’s blog regarding Mass Infection via SQL Injection and how web application vulnerability scanning can protect you from such thing: Mass Infection via SQL Injection

Tags:
, , ,

Leave a Reply

Additional articles

asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,

Bad POODLE, Don’t Bite!

Posted October 16, 2014    BeyondTrust Research Team

Researchers at Google (Bodo Moller, Thai Duong, and Krzysztof Kotowicz) have discovered that the encryption schemes used by SSL 3.0 are exploitable (CVE-2014-3566). Although the majority of web servers implement Transport Layer Security (TLS), the majority of clients will downgrade to SSL 3.0 in an attempt to maintain interoperability between protocols. For example, when a…

Tags:
,