Saturday, August 06, 2011

Using the Right Tool: Web Application Scanner vs. Web Application Firewall

Web application or vulnerability scanner scans a website or web application to determine vulnerability in the application as snapshot in time. If the application is not altered and the scanner is not updated, you would get the same results every time the scan is run. In other words, a scanner’s nature is to be static in that it does not react to changing dynamics that is typical in live envrionment. From that viewpoint, scanners tend to be a good assessment tool for testing during development and pre-production or pre-release of an application.

It is important to note that scanning of production sites should be avoided at all cost, not only from the viewpoint of performance degradation but also as a potential to corrupt live database. This is an important distinction which I will refer back when comparing with web application firewall.

Commercial scanners such as Acunetix bring with it lot of additional out-of-the-box features and functionalities. They also provide tools for advanced testing and penetration testing. Thus, scanners fall under the realm of testing and would better utilized during the testing and development phases of a project.

Web Application Firewalls (WAF), on the other hand, provide real time, live monitoring of the application. They monitor every request coming to the web server, while the application is in the production environment. It guards the application by auditing against the security rules and configurations set manually and learnt by itself. Furthermore, WAF, such as one from Imperva, can block, alert, and apply virtual patch while the development team works on the real fix. This makes them extremely powerful in protecting live web application and live data. Contrast this with web application scanner which is not intended for production site and cannot provide protection in real time.

If the attack vector changes, the same application which was tested secure using scanner can be vulnerable to new forms of attacks. I have read many articles where the author has shown examples of websites that were hacked in spite of scanners finding them invulnerable. Again, remember, the intended time of the scanner use should be during development and testing - because of its snapshot nature. In the production environment, the dynamics are different, from configurations to network management to ever changing attack vectors.

Is are web application scanners necessary if the web application firewalls can provide the ultimate safety net?

Absolutely yes, in fact they are needed more so. First, scanning during development and testing ensures that the application is robust. A robust application is more secure with web application firewall to enhance security than a weak or vulnerable application. If web application firewall was icing, you want it on the cake not the soup.

Therefore organizations must include both the web application scanners and web application firewall.

ebusinessmantra offers web application or vulnerability scanners from Acunetix and web application firewall from Imperva. In addition, we have the right solutions and products for small to mid- size businesses.

Wednesday, June 08, 2011

Can site audit replace need for secure coding practices?

A web application developmental company, rather than employing data validation and sanitization, chooses to audit an eCommerce site for PCI compliance and agrees to remediate vulnerabilities found during the audit. Is this a clever way of doing the bare minimum and at the same time deflecting the liability to the auditing company?

Data validation is like diet and exercise, general and non-targeted whereas an audit is like tests, specific and targeted. The former is preventive whereas latter is diagnostic.

Like everything else in life, you can live with one, both, or none, depending on your risk tolerance. For developmental? organizations, which contract to build web application for their customers, secure coding adds to the cost of the project, in terms of training, hiring developers experienced in secure coding, and added time.

Of course, there is another consideration - standard coding practices - whether written in the contract or not, there is an understanding that a serious organization and matured developers would be expected to follow standard coding practices. But here's the caveat: who defines the standards? The same organization who is trying to duck their responsibilities defines their corporate coding standards by excluding secure coding practices. This is important when writing contracts - web site owners must include standards as an addendum to the contract.

Reliance on web development organization to implement secure coding is a false sense of security. Rather than stating general requirements in the contract to adhere to standards, specifics must be included. For example, value of each variable received from another system or user must first be validated to check for expected length and non-numeric or numeric or alpha-numeric, as the case may be.

Wait a minute, are web site owners expected to know what secure coding is in order to demand secure coding? The answer is yes when dealing with development organizations which have no scruples. Unfortunately not many businesses are security savvy and very rarely would have someone on staff who is technically skilled in web application security. Before hiring a contractor for web site development, a security consultant needs to be hired. It is just like having an architect on-board before hiring a building contractor.