Selecting and testing a web application security scanner can feel like an overwhelming process and for good reason. There is potentially a lot a stake, and the wrong decision can have far-reaching consequences.
One of the easiest solutions is to develop a framework for making your decision – a system by which you can measure and assess potential candidates before reaching a conclusion. This post will address the more common questions and concerns that frequently come up when selecting an automated web application security scanner. We’re going to discuss a variety of factors that will help you come to a more confident decision.
We’ll break this guide into three sections. First is understanding your needs – knowing your requirements can help to narrow down the selection process early on. Then, we’ll cover some of the features that you should consider looking for in an effective scanner. And finally, we’ll discuss some of the functionality that are often essential to making a scanner both useful and effective.
Step 1: Examine Your Web Security Needs
Before you can properly test a web application security scanner, you need to outline your requirements. The goal is not to find a perfect solution, merely the most appropriate one. Not all automated security scanners offer an appropriate solution. Here is a brief list of variables and compatibility issues to consider:
- Is your application developed with Java, PHP or .NET?
- Does your app use anti-forgery tokens?
- Does your site require authentication?
- Are URL rewrites used?
- Do you require rapid scalability – how many applications do you need to monitor?
- Do you prefer a solution that is automatically maintained and updated?
- Do you require API access?
- Do you require team collaboration features?
- What kind of reporting features do you need?
Step 2: Assess the Web Scanner’s Features
There will never be a perfect answer when it comes to selecting the best scanner. You need to consider both the use application as well as the end-user. What works well for me, may not work as well for you.
Balancing U/X and Functionality
You might wonder what place user experience has in the selection process. Shouldn’t effectiveness be first and foremost? In many ways, you’d be right, but here’s the problem: A security scanner is just a tool. Its use requires input and assessment from you, the end user.
That means there must be an appropriate balance between usability, and functionality/effectiveness. An application that is difficult or cumbersome to operate is rarely used to it’s full capabilities. It’s critical that the end-user feels comfortable using the scanner. At the same time, a beautiful, easy to use interface that fails to crawl your application properly, is just as ineffective as one that doesn’t get used at all.
Vulnerability Detection Capability / Security Scan Coverage
How many potential vulnerabilities does your scanner check for? While it’s important to cover the more common vulnerabilities such as Cross-Site Scripting, it’s just as important to scan for those which are less common such as the failure to secure directories. Ideally, you want a scanner that covers a broad spectrum, but that leads us to our next important consideration, continual updates.
It’s important that your scanner is relevant today, tomorrow and 6 months from now.Your security scanner should be kept updated with the most recent list of known vulnerabilities. More often than not, that means having a qualified team behind the application who are committed to staying one step ahead of hackers. The longer it takes for your scanner to be updated with the most recent vulnerabilities, the greater the risk of a security breach.
Scalability can be important depending upon how many web applications you are responsible for monitoring. If you have hundreds or thousands of applications to stay on top of, it’s important that that when a new vulnerability is being exploited in the wild, you’re able to quickly test your web applications and get back to business. If your scanner is burdensome to use or limited in the number of simultaneous scans that it can complete, you are increasing your risk exposure unnecessarily.
It should go without saying that your web vulnerability scanner should include support. When the security of your web application is at stake, you shouldn’t have to worry about a support department as well. Always test support – it’s one thing to post a support page on a website, it’s another to respond in a timely manner to customer enquiries. Anytime security is an issue, time is of the essence.
Step 3: Assess Scanner Functionality
Using a web vulnerability scanner requires that you trust the application to do its job. This isn’t something that happens overnight. It’s the result of using the security scanner repeatedly and learning where it performs well, and where additional human input might be required.
A security scanner isn’t meant to be a replacement for experienced penetration testers – it’s meant to make the process more efficient. Live penetration testing and auditing of scanner results is always a good idea.
As you test functionality and features, it’s fine to evaluate a security scanner in a test environment, but it’s better to rely on real-world testing of a live application where possible (make sure you understand the capabilities of your scanner before testing on a live application). Here are some of the functions you should expect to see incorporated in your scanner:
Effective Scanning of Your Application
Trusting your scanner to detect vulnerabilities begins with its ability to thoroughly scan your application. When your scanner generates a sitemap of your application, it’s a good idea to compare the crawled sitemap to the actual sitemap. This way you’ll know whether the scanner might be missing any potential vulnerabilities.
False Positives and False Negatives
While false positives waste resources, false negatives can pose a significant security risk – both are a concern. If possible, involve someone from support when testing a scanner for the first time. Scanner settings can have an impact on the effectiveness of the scanner as well as the total number of false results.
There are two things to look at here. First, is comparing the list of vulnerabilities generated by different scanners. You’ll want to tie those results into our previously mentioned false positives and negatives. You’ll also want to cross check the results of your scanner against the results generated by your penetration tester. While your human tester may not be able to check for thousands of vulnerabilities, you should review a sample size large enough to give you confidence in the results. The more you use an automated scanner, the more you’ll begin to understand its nuances, strengths and weaknesses.
Does your web security scanner present a detailed report when a vulnerability is identified? More specific results make the remediation process more efficient. Also, does the scanner provide a recommended solution when it locates a vulnerability and can you easily assign a patch to a specific team member?
Choosing an Automated Security Scanner
As you can see, choosing the ideal web application security scanner is not a process to be taken lightly. There are many factors to consider and inevitably, you want to make as few compromises as possible. Used properly, automated security scanners are not only useful but necessary tools that result in web applications being developed in a more cost-effective and secure manner.
If you are not regular reader of this website then highly recommends you to Sign up for our free email newsletter!! Sign up just providing your email address below: