Port 80 is often called the highway into networks. Port 443 forsecure sockets layer (SSL) is often referred to as the UFBP — universalfirewall bypass port. Today, many legacy applications are eitherweb-enabled or in the process of becoming web-enabled. Consequently,these applications — which were never designed to be used in thisfashion — are now being exposed in new ways to larger and larger usercommunities, as well as attacking communities with increasingsophistication. In many cases, the process of web-enabling anapplication exposes critical assets, such as large databases withpersonal client information.
Even some non-legacy applications that were designed from inceptionto run as web-enabled applications can contain significant securityvulnerabilities. There often is a disconnect between web programmers,auditors and information security staff that allows these webapplications to bypass many system development life cycle controls,such as code reviews and security testing. This is not to say that allweb coding is bad; however, there is a potential where mistakes can bemade and critical data or even system control can be lost.
These issues have been brought to the forefront by the PCI-DSS(Payment Card Industry — Data Security Standard) in many organizations.In the standard, section 6.3.1 requires "Testing of all security patches and system and software configuration changes before deployment."
This is typically part of a comprehensive system development lifecycle and often the term vulnerability assessment is applied to thistesting. Further in the PCI-DSS standard in section 6.5, severalweb-based vulnerabilities are listed to be tested by the applicationprovider.
To mitigate these risks and also for compliance with industry bestpractice standards, application vulnerability assessment must beperformed. This type of assessment is different from the more commonnetwork vulnerability assessment because of the need for a greaterunderstanding of web-based vulnerabilities. For example, the mostcommonly used network vulnerability assessment utility, Nessus, checksfor XSS or cross-site scripting errors. However, it does not check thehundreds of different permutations of the XSS attacks. In order to scanfor these dynamic attacks — such as XSS or SQL injection — a utilitywith greater understanding of the application environment is necessary.
The utilities in this group tested for either web-basedvulnerabilities or vulnerabilities inside of an SQL database. All ofthese products had the additional intelligence to scan beyond the depththat a traditional network vulnerability assessment utility could.
Products in this review broke down into one of two categories. Thefirst category assessed the web application itself, while the othercategory of utilities tested the database manually. Pricing in thiscategory ranged as much as the overall function. With products thatstarted below $1,000 to products which began at over $36,000. The rangewas truly surprising.
How we tested
We tested the applications by installing the utility on a Windows XP professional machine with an AMD 64-bit 4.0 Ghz processor,
1 GB of RAM and 100 GB hard drive. Next, we ran the utility againsta small php base website with several small vulnerabilities. Thewebsite used custom error pages, which can throw off many of the spiderfeatures of application scanners by re-directing all bad web requestsback to the site’s home page. This is a common first step in securingmany web servers and is deployed by most major organizations. For autility in the review to interpret the results correctly, the crawlerhad to distinguish between the returned custom error page of 302 — pagemoved as opposed to a 200 message for page found. Not all scanners wereable to make this distinction.
All products were scored on ease of use, number of pages discovered,if vulnerabilities were sorted by class of vulnerability, an ability toreport false positives to the manufacturer, the number of falsepositives found, the time the scan took to complete, the number ofvulnerabilities uncovered, the types of reports offered, if remediationsteps were included with the report, and if the product uninstalledcleanly. The key criteria for each product can be found in the overviewmatrix.
- Mike Stephenson contributed to this Group Test.