I get a lot of questions regarding what the ideal Web application security scanner should be able to do and how it should "handle." Having used most of the commercial, open source and freeware tools over the past several years, I've come across a lot of likes and even more dislikes. The good news is that commercial scanner vendors are starting to realize what's important, and they're making their tools much more capable and friendly to the average user.
The following are features of Web application security testing tools that I believe are absolute must-haves if you do a lot of scanning. They'll save you lots of time and effort and maximize the number of valid vulnerabilities that you'd never find otherwise.
In the end you'll save money (even if you have to pay more to get a good tool), and you'll end up coming across as a true expert that takes Web application security testing seriously.
- Ease of use.
This is more important than most people think. Many of us -- especially the vendors and developers -- think that a more complex application equals more features and a better overall tool. I disagree! Being a pretty technical guy, I'm usually up for a challenge but not at the expense of lost time. We all have way too much to do as it is, and wasting time just trying to get a tool installed and up and running a basic scan is not my idea of fun.
Standalone tools such as a Web proxy, HTTP editor, server fingerprinting, and an HTTP discovery service that can scan various ports across your entire network for live Web servers. These are extremely valuable, especially for manual testing, which is required in order to perform a thorough assessment and easily accounts for half of all vulnerabilities discovered. A major bonus -- something you won't find in most tools -- are automated SQL injection capabilities that takes a vulnerable URL and automates the standard and blind SQL injection processes.
Logging capabilities that give you the option to track everything from basic URLs visited to errors generated all the way down to the specific headers sent/received via HTTP at the packet level.
Authenticated testing that allows you to plug in the user name and password and lets the tool crawl through, test and exploit the application as a trusted user. You can find a lot of vulnerabilities, such as SQL injection and JavaScript weaknesses, this way that an unruly user can exploit. The ability to record custom login scripts for non-standard forms is a bit bonus, otherwise you'll be pressed to find a way to perform authenticated tests on applications that use custom login mechanisms.
The ability to pause a scan and resume at a later time. This is very valuable, especially when you suspect the scan is creating a resource burden on the server and when trying to get around automated blocking by firewalls and IPSs.
The ability to skip a current test or URL if you suspect problems or hang-ups, or if you accidentally load something like a WebSphere-based policy to run against your IIS-based application, etc.
The ability to filter false positives or unimportant findings from the report and future scans. One thing that every Web application scanner does consistently is generate false positives. Being able to control what's seen, reported and scanned for again in the future can shave off a lot of time and hassle.
Password cracking capabilities to test login mechanisms. Dictionary cracking is the most common, but it's also the most limited. The ability to brute force adds more value to your testing, but it is hard to come by. It definitely wouldn't hurt to ask/request this of your vendor.
The ability to go beyond simple signature attacks being sent to the application. Instead, the ability for a "smart" scan whereby the scan's direction and depth are adjusted in real-time based on feedback it receives from the application. This is a new area of scanning capabilities for the higher-end scanners. It has yet to be perfected, but you can tell a difference in scan times and false positives when it's being used.
The ability to edit or remove specific scan queries from built-in policies that you know may cause problems with your Web server, middleware or application.
The ability to scan multiple sites at once will save you a ton of time. You likely won't want to run more than three or four at once, depending on your network/Internet connection speed and local resources. This is something that I depend on a lot and can't imagine working without.
The ability to throttle back HTTP threads/requests for when you need to run potentially harmful tests against a sensitive production server during peak times. Being able to show the policy used and/or state of the tool's configuration at the time of a scan is invaluable in the event of a problem.
Compliance-related reporting with pre-canned and customizable report templates for all the big regulations and standards, especially the OWASP Top 10.
I highly recommend getting an evaluation version of the tool. If you can't, this may not be a vendor you want to deal with anyway. After installing the tool on your local system, I guarantee you'll know within 15 minutes if it's going to be a good fit for you based on the way you think and work. If during the trial period you come across any of the following issues, try to clarify with the vendor whether the specific issue is a known problem or "undocumented feature":
- Scan times in excess of 30-45 minutes, especially when scanning a relatively simple site in an unauthenticated fashion
- Unexplained hang-ups when scanning that are resolved only by skipping the current test
- Obvious application memory leaks that cause you to have to restart the application and your scan. (It sounds trite, but I see this often.)
- The inability to load the application to gain access to previous scan data after your license has expired. (Major pain!)
If you come across those issues and can't get a reasonable explanation, run away -- fast.
In the majority of cases, you're going to get what you pay for in a Web application security testing tool. At the end of the day, find a tool that you feel comfortable with and one that works well in your environment. Never underestimate the value of a little up-front homework when selecting the right Web vulnerability scanner. It will pay off.
-----------------------------------------
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around IT compliance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels series of audiobooks. Kevin can be reached at kbeaver@principlelogic.com.
