Saturday, August 06, 2011

Using the Right Tool: Web Application Scanner vs. Web Application Firewall

Web application or vulnerability scanner scans a website or web application to determine vulnerability in the application as snapshot in time. If the application is not altered and the scanner is not updated, you would get the same results every time the scan is run. In other words, a scanner’s nature is to be static in that it does not react to changing dynamics that is typical in live envrionment. From that viewpoint, scanners tend to be a good assessment tool for testing during development and pre-production or pre-release of an application.

It is important to note that scanning of production sites should be avoided at all cost, not only from the viewpoint of performance degradation but also as a potential to corrupt live database. This is an important distinction which I will refer back when comparing with web application firewall.

Commercial scanners such as Acunetix bring with it lot of additional out-of-the-box features and functionalities. They also provide tools for advanced testing and penetration testing. Thus, scanners fall under the realm of testing and would better utilized during the testing and development phases of a project.

Web Application Firewalls (WAF), on the other hand, provide real time, live monitoring of the application. They monitor every request coming to the web server, while the application is in the production environment. It guards the application by auditing against the security rules and configurations set manually and learnt by itself. Furthermore, WAF, such as one from Imperva, can block, alert, and apply virtual patch while the development team works on the real fix. This makes them extremely powerful in protecting live web application and live data. Contrast this with web application scanner which is not intended for production site and cannot provide protection in real time.

If the attack vector changes, the same application which was tested secure using scanner can be vulnerable to new forms of attacks. I have read many articles where the author has shown examples of websites that were hacked in spite of scanners finding them invulnerable. Again, remember, the intended time of the scanner use should be during development and testing - because of its snapshot nature. In the production environment, the dynamics are different, from configurations to network management to ever changing attack vectors.

Is are web application scanners necessary if the web application firewalls can provide the ultimate safety net?

Absolutely yes, in fact they are needed more so. First, scanning during development and testing ensures that the application is robust. A robust application is more secure with web application firewall to enhance security than a weak or vulnerable application. If web application firewall was icing, you want it on the cake not the soup.

Therefore organizations must include both the web application scanners and web application firewall.

ebusinessmantra offers web application or vulnerability scanners from Acunetix and web application firewall from Imperva. In addition, we have the right solutions and products for small to mid- size businesses.