Leveraging Automation to Quickly Reveal Vulnerabilities

WHITE PAPER
Next-Generation Web Application
Penetration Testing
Leveraging Automation
to Quickly Reveal Vulnerabilities



Information security managers and directors are faced with the enormous responsibility of keeping web applications secure from the menace of hackers. The ever-growing number of security threats and an increasing body of governmental regulations are overwhelming information security teams. With web applications constantly evolving, finding vulnerabilities is a challenging, costly and time-consuming undertaking. How can information security personnel protect sensitive data - and ultimately, the corporate reputation - without costly web application security assessment outsourcing? The solution is automated security assessment products that leverage stateful processing to comprehensively examine web applications and reveal vulnerabilities in hours rather than weeks. These powerful solutions help information security teams quickly identify problems, regularly assess web application security strength and ensure regulatory compliance. Web Application Security Vulnerabilities Web applications Web applications are growing in size and complexity. Despite their present vulnerabilities sophistication, web applications are designed to respond to simple unique from traditional HTTP requests. These requests can put applications and network security confidential information at risk as hackers can shield attacks with threats and can result in confidential data legal requests that pass through secured networks and intrusion being made publicly detection systems. Once a malicious request interacts with a web available application, it can attack via vulnerabilities within the web application. Some of the top web application vulnerabilities include: . Unvalidated input . Broken access control . Broken authentication and session management . Cross-site scripting (XSS) flaws . Buffer overflows . Injection flaws . Improper error handling . Insecure storage . Insecure configuration management Web application security vulnerabilities are very prevalent. Recently, hackers invaded databases from information industry giant LexisNexis and gained access to more than 30,000 accounts containing personal data such as names, addresses, Social Security numbers and driver's license information. Additionally, payroll-service provider PayMaxx recently exposed the Social Security numbers and related data of more than 25,000 people for tax year 2004. Nearly every day there is a new attack against a web application.
Copyright © 2005 Cenzic (v1.1) Page 2 www.cenzic.com ? 1-866-4-CENZIC Figure 1: Web application vulnerabilities are increasing dramatically (source: Symantec Internet Security Threat Report, March 2005).
Figure 1 demonstrates that the threat to web applications is increasing dramatically. Over an 18 month period from July of 2003 to December of 2004, documented vulnerabilities increased nearly 82 percent. Web Application Vulnerability Testing Challenges The consequences of failing to protect web applications expose companies to information theft, unhappy customers and stiff penalties when organizations are not in compliance with regulatory requirements. Even when companies do take steps to protect against web application hacking, they often face overwhelming workloads or exorbitant security assessment outsourcing costs. Consequences of Forgoing Vulnerability Testing When vulnerability Loss of critical customer data and violations of government testing is not a regulations are two of the largest consequences of bypassing web priority, critical data application vulnerability testing. can be stolen and penalties may be assessed for failing to Information theft: Data theft takes many forms, including siphoning meet government money from banks and financial institutions, exploiting e-commerce regulatory sites to conduct unauthorized transactions and accessing back-end requirements databases with priceless stores of data. Information theft can force corporations to make financial restitutions and lead to customer loss. Non-compliance: Web applications that are not in compliance with government regulations, such as Sarbanes-Oxley, GLBA, SB 1386 and HIPAA, can result in severe corporate penalties. With new regulations on the horizon, corporations ne... [download for more]