The art of hacking a computer, operating system, and application has evolved over time. What was once seen as relatively simple hacks have been suppressed due to various intrusion prevention mechanisms developed by network security companies. Breaching a company’s perimeter to gain direct unauthorized access to an organization’s network is not as simple as it used to be…or as simple as some people think. Modern networks include multiple firewalls, network vulnerability assessment scanners, intrusion prevent products, and endpoint protection solutions all defending critical infrastructure. Restricted by these defenses, hackers have been aggressively testing other ways to breach corporate and government networks.
Even with the best security plans and technology, hackers have identified holes in the most common infrastructure, one of which until relatively recently, organizations did not consider: Web Applications. According to The Web Application Security Consortium 99% of web application are not compliant with PCI DSS standard requirements, and 48% of web applications are not compliant with criteria of ASV scanning by PCI DSS. By design, many web applications are publicly available on the internet and are designed to market and service business transactions for organizations and fall under these regulations. This provides hackers with direct and easy access to your business, and provides virtually unlimited attempts for them to test their hacks against your application. Since the revolution of using the internet for conducting business, organizations have been able to connect seamlessly with suppliers, customers and other business related associates. This has now left many applications exposed to a plethora of previously unknown security risks such as SQL Injection, Cross Site Scripting etc.
Web applications are now one of the biggest threats to an organizations security. Inherently they are much more difficult to defend versus traditional applications that benefit from the security infrastructure that has been already deployed. In order to detect and properly defend against web application threats you must first have the capability to identify these vulnerabilities. This includes performing web application vulnerability assessment scanning.
By definition, web application scanner is an automated vulnerability assessment solution that crawls a website (either automatically or has been trained) looking for vulnerabilities within web apps. The solution analyzes all web pages and files that it finds, and builds a structure of the entire website. The scanner then performs automated checks against security vulnerabilities by launching a series of common web attacks and analyzes the results for vulnerabilities.
Considering the overall process, and complexity of modern web applications, here are a few important features to consider:
- The ability to crawl a website regardless of technology and analyze the results.
- Merge traditional (operating system and application) and web application vulnerability assessment data in one report to reveal the current overall security posture for a system.
- Provide reports with actionable details such that administrators and developers can correct the flaws in a timely manner
The best way to identify web application security threats is to perform web application vulnerability assessment. The importance of these threats could leave your organization exposed if they are not properly identified and mitigated. Therefore, implementing a web application scanning solution should be of paramount importance for your organizations security plans in the future.
For additional information, read Chris Silva's blog regarding Mass Infection via SQL Injection and how web application vulnerability scanning can protect you from such thing: Mass Infection via SQL Injection
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.