Last updated at Wed, 12 Feb 2020 18:44:31 GMT

For more than 10 years, application security testing has been a common practice to identify and remediate vulnerabilities in their web applications. While, it's difficult to figure out the best web security software for your organization, there are seven key techniques that not only increase accuracy of testing in most applications, but also enable teams to leverage expert resources to test necessary areas by hand.

IT security experts who conduct application security testing or are trying to figure out the best application security solution should consider these techniques important and aim to use a solution that leverages as many of them as possible.

Application Security Scanning Requirements

1. Coverage of Modern Web Technologies

Application coverage is the first step of accuracy. Application security testing software can't test what it can't find or doesn't understand. Most scanners were built to scan HTML and they do so very effectively. Unfortunately, very few modern applications are built solely in HTML. Today's applications have gone way beyond brochure-ware to include rich clients and mobile API's, and web services that make use of new application technologies. These applications are powered by JavaScript and AJAX on the client-side and often have interfaces built in JSON, REST and SOAP with CSRF protection thrown in for good measure. The best web security software solutions are capable of interpreting and attacking these modern technologies and find an internal or vendor neutral test application with vulnerabilities that include these technologies to confirm coverage.

2. Future-Proof

Application security software should have the ability to easily understand and adapt to new technologies as they become popular. The reality is that we will continue to see an increase in application complexity and the emergence of new technologies. Most scanners can understand and attack the classic web application of the past but a modern scanner needs to be architected so that new technologies can be bolted on like drill bits on a drill. Ask your vendor how their architecture provides the flexibility to handle new technologies.

3. Sophisticated Attack Techniques

All web security software must find a balance between comprehensiveness and performance. In order to improve performance, the best web security software solutions randomly limit the set of attacks to send based on proprietary choices. Other scanners intelligently profile the application to determine which attacks are useful and dynamically adjust attacks for each input. This latter approach increases not only the efficiency of the scan, but also its ability to find valid vulnerabilities. Be sure you understand how your application security software selects its attacks and how configurable the attacks are to fit your needs.

4. Recursive False Positive Checking

False positives are the bane of automated scanning and a time suck for security teams. Web applications often behave in mysterious ways and smart scanners must check and recheck findings to avoid false positives. Your vendor should be willing to stand by the findings and constantly improve based on your feedback.

5. Relevant Data Input

During an automated scan there are usually two phases: crawl and attack. During the crawl phase, it is imperative that the scanner provide valid data for each input field as expected by the application. For example, when the form is asking for a shipping address, some scanners enter random values into each input instead of the expected values. Certain fields such as the ZIP code would be invalid and the application would reject a request due with an invalid ZIP code. In this case, the scan is actually halted, resulting in a less comprehensive scan and the potential for missed vulnerabilities. Ask application security software vendors what kind of data they use in their attack phase to determine if they are using both expected and unexpected datasets and if they are attacking one input at a time.

6. Check Every Parameter on Every Page

The point of automation is to handle the repetitive tasks against every input, but this can lead to slower scan times. To save time, some web application security solutions only check the first several parameters on each page. Each parameter could use different filters so the scanner could be arbitrarily missing vulnerabilities. This time savings is not worth it! Make sure the solution you choose checks every parameter on every page.

7. Custom Mobile Applications, the New Frontier

Custom mobile applications are the new frontier for security teams. They provide native mobile interfaces, but then communicate with web services or API's (JSON, REST/XML, AMF, etc.) that have the same range of potential vulnerabilities (SQLi, authentication and session management weaknesses) that web applications do. The best web security software is capable of testing these back-end interfaces or API's because that's where the real weaknesses are likely to be found.

For more information about what to look for in an application security scanner, check out our Web Application Security Solutions Buyers' Guide.