Web application security: automated scanning versus manual penetration testing.



Similar documents
Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Four keys to effectively monitor and control secure file transfer

The Top Web Application Attacks: Are you vulnerable?

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

Security for a Smarter Planet IBM Corporation All Rights Reserved.

IBM Rational AppScan: Application security and risk management

IBM Advanced Threat Protection Solution

Minimizing code defects to improve software quality and lower development costs.

Application Security from IBM Karl Snider, Market Segment Manager March 2012

Ten questions to ask when evaluating contract management solutions

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

The role of integrated requirements management in software delivery.

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Application Code Development Standards

IBM Innovate AppScan: Introducin g Security, a first. Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance

IBM Managed Security Services Vulnerability Scanning:

External Supplier Control Requirements

Enhance visibility into and control over software projects IBM Rational change and release management software

Rational AppScan & Ounce Products

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

SINGLE SIGNON FUNCTIONALITY IN HATS USING MICROSOFT SHAREPOINT PORTAL

Security Testing and Vulnerability Management Process. e-governance

Ten steps to better requirements management.

How to Build a Trusted Application. John Dickson, CISSP

SAST, DAST and Vulnerability Assessments, = 4

IBM RATIONAL PERFORMANCE TESTER

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Better management through process automation.

Six ways to accelerate Android mobile application development

Three significant risks of FTP use and how to overcome them

HP Application Security Center

Gain a competitive edge through optimized B2B file transfer

Realizing business flexibility through integrated SOA policy management.

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

A proven 5-step framework for managing supplier performance

IBM QRadar Security Intelligence April 2013

Adobe Systems Incorporated

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Web servers and WebSphere Portal

Columbia University Web Security Standards and Practices. Objective and Scope

WEB APPLICATION VULNERABILITY STATISTICS (2013)

Network Security Audit. Vulnerability Assessment (VA)

Learning objectives for today s session

Software change and release management White paper June Extending open source tools for more effective software delivery.

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Web Application Penetration Testing

Expert Services Group (Security Testing) Nilesh Dasharathi Sadaf Kazi Aztecsoft Limited

IBM Rational systems and software solutions for the medical device industry

Modernizing enterprise application development with integrated change, build and release management.

IBM WebSphere Application Server Communications Enabled Applications

Protecting against cyber threats and security breaches

8070.S000 Application Security

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

The Key to Secure Online Financial Transactions

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Levels of Software Testing. Functional Testing

IBM Rational Asset Manager

McAfee Certified Assessment Specialist Network

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

IBM Security Intelligence Strategy

White paper December Addressing single sign-on inside, outside, and between organizations

Mobile, Cloud, Advanced Threats: A Unified Approach to Security

Web Application Report

IBM Protocol Analysis Module

MANAGED SECURITY TESTING

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

March PGP White Paper. Transport Layer Security (TLS) & Encryption: Complementary Security Tools

Mobile Security. Luther Knight Mobility Management Technical Specialist, Europe IOT IBM Security April 28, 2015.

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

Integrigy Corporate Overview

Connecting PPM and software delivery

Security Intelligence

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Integrating Security Testing into Quality Control

Web App Security Audit Services

Agile enterprise content management and the IBM Information Agenda.

Last update: February 23, 2004

Penetration Testing. Presented by

Network Security Report:

Implement a unified approach to service quality management.

Application Security Testing. Generic Test Strategy

Model-driven development solutions To support your business objectives. IBM Rational Rhapsody edition comparison matrix

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITEPAPER. Nessus Exploit Integration

ensuring security the way how we do it

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

Transcription:

Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group

Page 2 Contents 2 Introduction 2 Evolving testing techniques 3 Two primary categories of vulnerabilities 4 Technical vulnerabilities 5 Logical vulnerabilities 6 Delivering the software and services you need to help secure your Web applications Introduction Research has shown that a vast number of Web sites are vulnerable to Web application attacks and that a great percentage of these attacks occur over the HTTP/S protocols, ports that are often exposed to the entire online community. With these facts in mind, it s essential for organizations to take serious measures to help secure their Web applications. As Web applications become increasingly complex, tremendous amounts of sensitive data including personal, medical and financial information are exchanged and stored. Consumers expect and even demand that this information be kept secure. There are two primary methods for discovering Web application vulnerabilities: using manual penetration testing and code review or using automated scanning tools and static analysis. The purpose of this paper is to compare these two methods. Evolving testing techniques Manual security penetration testing is one of the oldest methods for discovering application vulnerabilities. Over time, as the frequency of attacks has grown and application complexity has increased, specialists known as penetration, or pen, testers have emerged. Their sole purpose is to find and exploit Web application

Page 3 security problems. In the late 1990s, companies began developing automated Web application testing techniques. By that point, the Web had become more mature, and Web browsers were beginning to be able to handle the complexities of dynamic applications. The goal of these early automated testing tools was to automate the process of discovering a Web application and inject faults into it to help discover vulnerabilities. Web application vulnerabilities typically fall into two categories: technical and logical. Two primary categories of vulnerabilities Generally, Web application vulnerabilities can be grouped into two categories: technical and logical. Technical vulnerabilities include cross-site scripting (XSS), injection flaws and buffer overflows. Logical vulnerabilities are much harder to explicitly categorize. These vulnerabilities manipulate the logic of the application to get it to do things it was never intended to do. For example, in early 2002, a hacker used a logical vulnerability to bypass the required personal information validation in a popular e-mail application, allowing the hacker to reset users passwords by guessing the answer to a single security question.

Page 4 Automated testing tools can now traverse, analyze and test for a large percentage of technical vulnerabilities. Technical vulnerabilities There are more than 70 techniques that can be used to exploit XSS, one of the most common technical vulnerabilities. A typical registration form on the Web contains approximately 30 unique elements, each of which is potentially vulnerable to XSS, injection flaws, buffer overflows or improper error handling. Therefore, to test the form for XSS vulnerability, you would need more than 2,000 tests to check all 30 elements against the 70 XSS techniques. It s certainly no surprise that a great number of applications are vulnerable to this one exploit. Given the number of tests needed to check such applications for technical vulnerabilities, automated tools that are able to traverse, analyze and test are perhaps more efficient than manual penetration testing. Automated scanning and testing tools may not currently be able to test 100 percent of technical vulnerabilities, but they can test for a large percentage of them. Early versions of automated tools had trouble dealing with certain issues, including: Client-side-generated URLs. Required Java Script functions. Application logout. Transaction-based systems requiring specific user paths. Automated form submission. One-time passwords. Infinite Web sites with random URL-based session IDs.

Page 5 As automated Web application security testing tools have matured, enterprises have experienced fewer incidents of false positives and false negatives. As automated Web application security tools have matured, the majority of these issues have been addressed, and automated assessments have reduced incidents of uncertain determinations (false positives) and missed issues (false negatives). However, as Web applications continue to grow in size, manual testing is becoming more and more difficult. In many enterprise organizations, it will become impossible to dedicate the time, effort and money to assess the booming number of Web applications. The bottom line is that humans can only look at so many lines of code per day, and as your volume of applications increases, so too must your stable of testers which can quickly become cost prohibitive. Logical vulnerabilities are security weaknesses that can be exploited by circumventing the typical flow of an application. Logical vulnerabilities Logical vulnerabilities are security gaps that can be exploited by understanding how an application works and circumventing the typical business flow. While automated scanning tools and skilled pen testers can navigate a Web application, only the tester is able to understand the logic behind the application s workflow. This understanding enables the tester to subvert the business logic and expose a security vulnerability. For example, an application might direct the user from point A to point B to point C, where point B is a security validation check. A manual review of the application might show that it is possible to go directly from point A to point C, bypassing the security validation entirely.

Page 6 Although manual penetration testing and automated scanning can both be used to find critical security vulnerabilities in Web applications, each has inherent strengths and weaknesses. Neither manual penetration testing nor automated scanning is an exhaustive method for identifying Web application vulnerabilities. Each method has its own inherent strengths and weaknesses, and both can be used to discover critical security vulnerabilities in Web applications. Automated tools were never intended to, and should never entirely replace, the manual penetration test. However, if used correctly, automated tools can be used to find a broad range of technical security vulnerabilities in Web applications, saving time and money. Sophisticated organizations will determine the correct mix of automated scanning versus manual penetration testing to provide the best Web application security coverage possible. Delivering the software and services you need to help secure your Web applications IBM is a marketplace leader in Web application vulnerability assessment software. Providing a range of security software products, IBM offers individual tools for any size organization. Using IBM Rational Web application security testing products, developers can build security into every Web application and work within familiar technology environments. IBM Rational Web application security testing products can help your organization build security into applications destined for online deployment. The Rational products allow users to work within familiar technology environments, offering virtually seamless integration with leading quality assurance tools and

Page 7 Rational testing software enables enterprises to continuously audit the security of Web applications and to mitigate business risk prior to deployment. integrated development environments (IDEs). And the applications enable you to perform continuous security auditing, helping software delivery teams build security into Web applications from the ground up, and helping to mitigate business risk before you deploy your applications. For more information To learn more about IBM Rational Web security solutions, contact your IBM representative or IBM Business Partner, or visit: ibm.com/software/rational/offerings/testing/webapplicationsecurity

Copyright IBM Corporation 2008 IBM Corporation Software Group Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America 01-08 All Rights Reserved. IBM, the IBM logo and Rational are registered trademarks of International Business Machines Corporation in the United States, other countries, or both. The information contained in this documentation is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this documentation, it is provided as is without warranty of any kind, express or implied. In addition, this information is based on IBM s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this documentation or any other documentation. Nothing contained in this documentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM (or its suppliers or licensors), or altering the terms and conditions of the applicable license agreement governing the use of IBM software. IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer s sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer s business and any actions the customer may need to take to comply with such laws. RAW14011-USEN-00

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information