Last updated at Wed, 12 Feb 2020 18:44:31 GMT
For more than 10 years, application security testing has been a common practice to identify and remediate vulnerabilities in their web applications. While, it's difficult to figure out the best web security software for your organization, there are seven key techniques that not only increase accuracy of testing in most applications, but also enable teams to leverage expert resources to test necessary areas by hand.
IT security experts who conduct application security testing or are trying to figure out the best application security solution should consider these techniques important and aim to use a solution that leverages as many of them as possible.
Application Security Scanning Requirements
1. Coverage of Modern Web Technologies
Application security software should have the ability to easily understand and adapt to new technologies as they become popular. The reality is that we will continue to see an increase in application complexity and the emergence of new technologies. Most scanners can understand and attack the classic web application of the past but a modern scanner needs to be architected so that new technologies can be bolted on like drill bits on a drill. Ask your vendor how their architecture provides the flexibility to handle new technologies.
3. Sophisticated Attack Techniques
All web security software must find a balance between comprehensiveness and performance. In order to improve performance, the best web security software solutions randomly limit the set of attacks to send based on proprietary choices. Other scanners intelligently profile the application to determine which attacks are useful and dynamically adjust attacks for each input. This latter approach increases not only the efficiency of the scan, but also its ability to find valid vulnerabilities. Be sure you understand how your application security software selects its attacks and how configurable the attacks are to fit your needs.
4. Recursive False Positive Checking
False positives are the bane of automated scanning and a time suck for security teams. Web applications often behave in mysterious ways and smart scanners must check and recheck findings to avoid false positives. Your vendor should be willing to stand by the findings and constantly improve based on your feedback.
5. Relevant Data Input
During an automated scan there are usually two phases: crawl and attack. During the crawl phase, it is imperative that the scanner provide valid data for each input field as expected by the application. For example, when the form is asking for a shipping address, some scanners enter random values into each input instead of the expected values. Certain fields such as the ZIP code would be invalid and the application would reject a request due with an invalid ZIP code. In this case, the scan is actually halted, resulting in a less comprehensive scan and the potential for missed vulnerabilities. Ask application security software vendors what kind of data they use in their attack phase to determine if they are using both expected and unexpected datasets and if they are attacking one input at a time.
6. Check Every Parameter on Every Page
The point of automation is to handle the repetitive tasks against every input, but this can lead to slower scan times. To save time, some web application security solutions only check the first several parameters on each page. Each parameter could use different filters so the scanner could be arbitrarily missing vulnerabilities. This time savings is not worth it! Make sure the solution you choose checks every parameter on every page.
7. Custom Mobile Applications, the New Frontier
Custom mobile applications are the new frontier for security teams. They provide native mobile interfaces, but then communicate with web services or API's (JSON, REST/XML, AMF, etc.) that have the same range of potential vulnerabilities (SQLi, authentication and session management weaknesses) that web applications do. The best web security software is capable of testing these back-end interfaces or API's because that's where the real weaknesses are likely to be found.