|
The Right Tool for the Right Job
In response, a range of application security tools have been developed to support the efforts to secure the enterprise from the threat posed by insecure applications. But in the ever changing landscape of application security, how does an organization choose the right set of tools to mitigate the risks their applications pose to their environment? Equally important: how, when, and by whom are these tools used most effectively? This paper will examine the most common tools found in the enterprise application security environment:
__ Web Application Firewalls (WAF)
__ Web Application Scanners (WAS)
__ Source Code Analyzers (SCA)
Each tool will be evaluated and compared in terms of how they address critical vulnerabilities, beginning with the Top Ten Vulnerabilities identified by the Open Web Application Security Project (OWASP). The paper will provide an at-a-glance “report card” to help ensure that organizations devising their application security strategy have an informed understanding of the approach of each tool, its method for addressing security flaws, and its efficiency and effectiveness in eliminating security threats to data through applications.
Vulnerability Prevention vs. Threat Detection
There are two fundamental categories that all application security products fall into: vulnerability prevention or threat detection. It should be noted that for the purposes of this paper, when a product’s feature set enables prevention through detection, it is still considered a detection device. Enterprises are always in a state of trying to manage a proactive preventive vs. a more reactive detection-based strategy. What should be made clear is that no application security practice can achieve any amount of success without both. Let me state that again for those who are only skimming this document. No application security practice can achieve an acceptable amount of success without implementing both preventive and detection mechanisms: finding the right balance and investment in both is a decision that will be particular to each organization according to threat, exposure, and budget, among other factors.
Simply stated, web application firewalls are a threat detection device. Their primary purpose is to detect, and then block invalid or malicious requests to your web application. Now, one could argue that they are also prevention devices because they are able to block some percentage of suspect traffic, but there is a clear distinction between detection devices and true prevention devices. A good vulnerability prevention solution should be able to find and help eliminate a security weakness before the weakness actually gets exploited. Because web application firewalls are responding to incoming web traffic that is exploiting existing vulnerabilities, web application firewalls will never truly be a good prevention device. True prevention only happens when the actual vulnerability is eliminated; therefore it can never be exploited.
Both web application scanners and source code analyzers are fundamentally prevention solutions, as they can be used prior to exposing vulnerabilities to the web, and therefore can enable definitive elimination of risk. However, these tools provide no threat detection mechanisms in the daily deployed environment.
One other note that should be stated is that there is only so much insight that any tool (both detection and prevention) can have without looking at and understanding the underlying source code. Similar to any manual software security assessment methodology, the more white-boxed the approach is the better insight you have. There is also a fine balance between the amount of time you have to investigate the security stance of an application and the appropriate mixture of automated and manual approaches. Some detection mechanisms may be well suited for short-term immediate protections.
For example, where you have identified a lot of vulnerabilities with vulnerability prevention (static analysis) but currently can’t fix all of them immediately (don’t have time/resources), so you apply a short-term solution like a WAF (with highly customized rule definitions), until the code is fixed and verified with source code analysis.
What to Measure
In order to provide an accurate and fair comparison of these technologies, this paper will compare these tools using the OWASP Top Ten, vulnerabilities highlighted by the Open Web Software Project (OWASP) as the most critical security flaws (http://www.owasp.org/index.php/ OWASP_Top_Ten_Project). The paper will evaluate an additional five critical vulnerabilities to complete the comparison categories for the benchmark.
|
