In my work as a technology analyst, I spend an awful lot of time talking to technology vendors and their customers. These days, both seem to be bringing up the same topic over and over again -- namely, Web application security. There are plenty of reasons for this -- I could fill a column just listing them. One big reason, of course, is the proliferation of Web-based applications in the enterprise, for both business (Salesforce.com Inc.) and pleasure (Facebook).
The other reason, of course, is compliance. The Payment Card Industry Data Security Standard was among the first to take a strong stand on Web application security, requiring PCI-covered entities to either conduct Web application code reviews or deploy an application layer firewall to protect all Web-facing applications. But Web application security has an effect on other industry and government-sponsored regulations, as well, such as the Health Insurance Portability and Accountability and Federal Information Security Management acts. As more enterprise computing (and enterprise data) migrates to public and private clouds in the coming years, security of Web-based user and management interfaces that front them will become even more critical.
No surprise, then, that both open source and commercial Web scanners have popped up in great numbers in recent years, as security vendors rushed into the market offering compliance-focused Web application scanning services. As with other areas of the IT security market, however, a lack of cross-vendor standards has made apples-to-apples comparisons of Web application scanners difficult. Jeremiah Grossman, chief technology officer of WhiteHat Security Inc., notes that impartial information regarding Web application testing products is hard to come by -- especially with cuts to the budgets of trade publications, which have curtailed (or eliminated) their test lab operations.
Now a new set of guidelines from the Web Application Security Consortium (WASC), a collection of vendors, Web application security practitioners and enterprise end users, may give IT security and compliance professionals a valuable tool for assessing Web security. The Web Application Security Scanner Evaluation Criteria (WASSEC) is a detailed guide to the many features commonly available in Web application scanners. The document is intended to help enterprises and IT professionals decide which features are common to Web application scanners, and which are important for the job at hand. The document was the product of collaboration among top players in the Web application security space -- companies like nCircle Network Inc., IBM, Hewlett-Packard Co., McAfee Inc., Breach Security Inc. and Rapid7 LLC.
Brian Shura, director of penetration testing at AppSec Consulting Inc. in San Jose and a project leader at WASC, told me the evaluation criteria are designed to give potential customers a way to push beyond often conflicting marketing claims for Web application scanners. It's also meant to provide a basis for doing bake-offs and other evaluations.
As more enterprise computing … migrates to public and private clouds in the coming years, security of Web-based user and management interfaces that front them will become even more critical.
WASSEC represents a consensus on the features that potential buyers might expect to find in a Web application scanner. It's up to potential buyers to figure out which features matter the most to them and how to weigh the offerings of various vendors, Grossman said.
The WASSEC document breaks Web application scanners down by their key elements: Web crawling, parsing (of URLs, forms, comments), support for various Web protocols and forms of Web authentication, session management and testing, as well as command and control and reporting features. The document provides guidance for evaluating these various functional areas. For example: WASSEC notes that Web application scanners should be able to extract and analyze content from Adobe Flash-based applications, a common platform for creating rich client features for Internet-based applications. What WASSEC doesn't do is make value judgments about which features are "must-haves."
As you've read here before, security scans are not enough. Simply running a vulnerability scan on your Web applications and seeing what the scanner spits out doesn't make you compliant (or secure, for that matter). Grossman noted that WASSEC's list of features won't obviate actual testing and product bake-offs. "Everybody is going to have the same feature set, but some will work better than others. For example, you can check for cross-site scripting vulnerabilities, but how good are you at it?"
Added Shura, "There are a lot of misconceptions in the scanning area. A lot of people think these are push-the-button tools. But if want to do a thorough job, you need training and people who are trained to use scanners in a way that optimizes their effectiveness."
WASSEC isn't the only resource out there. The National Institute of Standards and Technology, among other organizations, has attempted to provide metrics and tool evaluation criteria for Web application scanners. But enterprises concerned about the security of their Web applications would do well to take an inventory of their public and internal websites, Grossman advised. Consider how valuable those sites are and what level of attacker you wish to defend against -- from automated "bot" attacks to a determined hacker targeting your organization and Web infrastructure, in particular. The level of protection and security afforded your websites should be commensurate with the level of attack you think you're likely to face, he said.
Paul Roberts is a senior analyst at The 451 Group in New York. Let us know what you think about the story; email email@example.com.
This was first published in October 2009