Saturday, August 06, 2011

Using the Right Tool: Web Application Scanner vs. Web Application Firewall

Web application or vulnerability scanner scans a website or web application to determine vulnerability in the application as snapshot in time. If the application is not altered and the scanner is not updated, you would get the same results every time the scan is run. In other words, a scanner’s nature is to be static in that it does not react to changing dynamics that is typical in live envrionment. From that viewpoint, scanners tend to be a good assessment tool for testing during development and pre-production or pre-release of an application.

It is important to note that scanning of production sites should be avoided at all cost, not only from the viewpoint of performance degradation but also as a potential to corrupt live database. This is an important distinction which I will refer back when comparing with web application firewall.

Commercial scanners such as Acunetix bring with it lot of additional out-of-the-box features and functionalities. They also provide tools for advanced testing and penetration testing. Thus, scanners fall under the realm of testing and would better utilized during the testing and development phases of a project.

Web Application Firewalls (WAF), on the other hand, provide real time, live monitoring of the application. They monitor every request coming to the web server, while the application is in the production environment. It guards the application by auditing against the security rules and configurations set manually and learnt by itself. Furthermore, WAF, such as one from Imperva, can block, alert, and apply virtual patch while the development team works on the real fix. This makes them extremely powerful in protecting live web application and live data. Contrast this with web application scanner which is not intended for production site and cannot provide protection in real time.

If the attack vector changes, the same application which was tested secure using scanner can be vulnerable to new forms of attacks. I have read many articles where the author has shown examples of websites that were hacked in spite of scanners finding them invulnerable. Again, remember, the intended time of the scanner use should be during development and testing - because of its snapshot nature. In the production environment, the dynamics are different, from configurations to network management to ever changing attack vectors.

Is are web application scanners necessary if the web application firewalls can provide the ultimate safety net?

Absolutely yes, in fact they are needed more so. First, scanning during development and testing ensures that the application is robust. A robust application is more secure with web application firewall to enhance security than a weak or vulnerable application. If web application firewall was icing, you want it on the cake not the soup.

Therefore organizations must include both the web application scanners and web application firewall.

ebusinessmantra offers web application or vulnerability scanners from Acunetix and web application firewall from Imperva. In addition, we have the right solutions and products for small to mid- size businesses.

Wednesday, June 08, 2011

Can site audit replace need for secure coding practices?

A web application developmental company, rather than employing data validation and sanitization, chooses to audit an eCommerce site for PCI compliance and agrees to remediate vulnerabilities found during the audit. Is this a clever way of doing the bare minimum and at the same time deflecting the liability to the auditing company?

Data validation is like diet and exercise, general and non-targeted whereas an audit is like tests, specific and targeted. The former is preventive whereas latter is diagnostic.

Like everything else in life, you can live with one, both, or none, depending on your risk tolerance. For developmental? organizations, which contract to build web application for their customers, secure coding adds to the cost of the project, in terms of training, hiring developers experienced in secure coding, and added time.

Of course, there is another consideration - standard coding practices - whether written in the contract or not, there is an understanding that a serious organization and matured developers would be expected to follow standard coding practices. But here's the caveat: who defines the standards? The same organization who is trying to duck their responsibilities defines their corporate coding standards by excluding secure coding practices. This is important when writing contracts - web site owners must include standards as an addendum to the contract.

Reliance on web development organization to implement secure coding is a false sense of security. Rather than stating general requirements in the contract to adhere to standards, specifics must be included. For example, value of each variable received from another system or user must first be validated to check for expected length and non-numeric or numeric or alpha-numeric, as the case may be.

Wait a minute, are web site owners expected to know what secure coding is in order to demand secure coding? The answer is yes when dealing with development organizations which have no scruples. Unfortunately not many businesses are security savvy and very rarely would have someone on staff who is technically skilled in web application security. Before hiring a contractor for web site development, a security consultant needs to be hired. It is just like having an architect on-board before hiring a building contractor.

Sunday, August 29, 2010

Web Application Security

Web Application Security should be key consideration for any business who owns a web site, even if the web site is intended for presenting brochure like information.

Tuesday, February 16, 2010

Web Application Scanners - Open source vs. commercial scanners

There is this ongoing debate within the web application security community relative to selection of web application scanners. With some good commercial scanners in the market and promising open source scanners, it is quite confusing for many developers and IT professionals to select one. If price alone was the consideration, it would be an easy choice, but what makes it harder is which product does the intended job. I have seen that in selecting one product, there is a tendency to feel like you are missing out on what the other product offers. It is like buying a car: regardless of how hard you negotiate to get the best deal, you always feel that the salesman got away with the better deal.

Let me begin with my thoughts on open source scanners. Two names that are frequently mentioned are WebScarab (OWASP) and Burp Suite (PortSwigger). Those who have worked with these products for some time firmly stand by them. To learn more about the products, I downloaded both them; of course, the free offer was not too bad, either. After few attempts, I quickly learnt that there is a steep learning curve associated with both of these products. Lack of a good set of documentation made it rather challenging to learn their usage and appreciate their effectiveness. As is the case with all open source products, support is provided by community in open forum. That may be of concern if your inquiry involves disclosing confidential information. Furthermore, if your questions are time sensitive, you can expect to be disappointed waiting for an answer.


Turning to commercial products, the one I have used extensively is Acunetix Web Vulnerability Scanner (http://www.ebusinessmantra.com/buywebsecurityscanner.aspx). Right "out of the box", the product is easy to install, comes with detailed documentation, and support from the vendor. That's a big check plus for commercial products. Literally within few minutes after download, I had a list of vulnerabilities in the application I tested. I certainly cannot say that for the open source products. What value do you put to your time? Do you have time to learn use of open source products by yourself, especially in face of deadlines? Can you afford to remain vulnerable while you figure out how to use them? Can you afford to remain vulnerable while you wait for someone to answer your question? These are the questions you have to ask yourself.


Also of note: all products, open source and commercial, come with their faults in that they all report false positives and false negatives. So, the results of each application, open source or commercial, have to be evaluated for its correctness. Some may ask, why spend money if the outcome is not assuring? As we saw earlier, it is the time you save to get to the outcome, not just the outcome. The other advantage of a commercial product is that one product contains features that tests for various parameters whereas open source products are typically test for specific vulnerabilities. With open source you have to have multiple products to tests for a variety of parameters, for example, having a product for port scanning and another for scanning, file checks, directory checks, perhaps Google Hacking Database (GHDB), and so on. Now for the learning curve associated with each product, I think I would prefer commercial product and that should be true for all who are serious about vulnerabilities in their application.


Lastly, updates and bug fixes - how often are updates, fixes, and patches issued for open source products compared to commercial products? My first hand experience with Acunetix is that updates are issued at least once every two weeks. Can we say the same for WebScarab and Burp Suite?

So factors to consider when comparing open source and commercial scanner are:
• time to learn effective use of the product,
• features,
• customer support,
• product maintenance
• and one factor to ponder: can you wait to remain vulnerable while considering the other factors?

Now don't get me wrong that open source scanners don't have its place, so next time, I will talk about when and where an open source products can be effective.











Thursday, September 10, 2009

Document Management

Is managing paper in your office driving up your overhead expenses? Are you spending too much time processing, searching, storing, retrieving documents, invoices, forms, statements, memo?

Document Management solutions does not mean scanning documents to PDF format and saving it on a CD. An effective document management solutions leads to transactional data management where documents in any format and information on any media are captured, validated, and stored for archival and retrieval. Append workflow and associated business rules to your document management solution information management that can be compliant to applicable laws.

Whether you have a paper flow problem, a home-grown document system or just want to increase your efficiency, we have solutions that can help your business.

Learn More

Web Application Security

Businesses cannot afford to compromise business data. Customer information, Product and Service data, all form the core of any business. If a business process credit card on their web site then they are required to be PCI-compliant.

A web site can be used as a condiut to access data and compromise company's vital resources. Businesses must prevent that from happening, ebusinessmantra has solutions that can help your business.

Learn More