Find White Papers
Home About Contact Help
Free Membership Member Login
Nov 20, 2008
View Popular Research Browse Topics Find Business Solutions RSS Feeds List Your Research
Search the Library                  Advanced Search

Web Application Security: Automated Scanning Versus Manual Penetration Testing

IBM
By : IBM
INFORMATION
Published : Dec 27, 2007
Length : 8
Type : White Paper
 
Download Now
Save for Later
  Email This Page
Overview :

There are many ways to uncover Web application vulnerabilities. This white paper examines a few of these vulnerability detection methods – comparing and contrasting manual penetration testing with automated scanning tools. What you’ll discover is that neither of these methods are an exhaustive method for identifying Web application vulnerabilities.

You’ll also learn how IBM, as the marketplace leader in Web application vulnerability assessment software, uses Rational Web security solutions to help your organization build security into applications destined for online deployment.
View All Items By This Company
Browse Related Categories :

Application Security

,

Internet Security

,

Intrusion Prevention

,

Security

,

Security Management
 
Research has shown that a vast number of Web sites are vulnerable to Web application attacks and that a great percentage of these attacks occur over the HTTP/S protocols, ports that are often exposed to the entire online community. With these facts in mind, it’s essential for organizations to take serious measures to help secure their Web applications.
As Web applications become increasingly complex, tremendous amounts of sensitive data—including personal, medical and financial information—are exchanged and stored. Consumers expect and even demand that this information be kept secure. There are two primary methods for discovering Web application vulnerabilities: using manual penetration testing and code review or using automated scanning tools and static analysis. The purpose of this paper is to compare these two methods.
Evolving testing techniques
Manual security penetration testing is one of the oldest methods for discovering application vulnerabilities. Over time, as the frequency of attacks has grown and application complexity has increased, specialists known as penetration, or “pen,” testers have emerged. Their sole purpose is to find and exploit Web application security problems. In the late 1990s, companies began developing automated Web application testing techniques. By that point, the Web had become more mature, and Web browsers were beginning to be able to handle the complexities of dynamic applications. The goal of these early automated testing tools was to automate the process of discovering a Web application and inject faults into it to help discover vulnerabilities.
Two primary categories of vulnerabilities
Generally, Web application vulnerabilities can be grouped into two categories: technical and logical. Technical vulnerabilities include cross-site scripting (XSS), injection flaws and buffer overflows. Logical vulnerabilities are much harder to explicitly categorize. These vulnerabilities manipulate the logic of the application to get it to do things it was never intended to do. For example, in early 2002, a hacker used a logical vulnerability to bypass the required personal information validation in a popular e-mail application, allowing the hacker to reset users’ passwords by guessing the answer to a single security question.
Technical vulnerabilities
There are more than 70 techniques that can be used to exploit XSS, one of the most common technical vulnerabilities. A typical registration form on the Web contains approximately 30 unique elements, each of which is potentially vul-nerable to XSS, injection flaws, buffer overflows or improper error handling. Therefore, to test the form for XSS vulnerability, you would need more than 2,000 tests to check all 30 elements against the 70 XSS techniques. It’s certainly no surprise that a great number of applications are vulnerable to this one exploit.
Given the number of tests needed to check such applications for technical vulnerabilities, automated tools that are able to traverse, analyze and test are perhaps more efficient than manual penetration testing. Automated scanning and testing tools may not currently be able to test 100 percent of technical vulnerabilities, but they can test for a large percentage of them.
As automated Web application security tools have matured, the majority of these issues have been addressed, and automated assessments have reduced incidents of uncertain determinations (false positives) and missed issues (false negatives). However, as Web applications continue to grow in size, manual testing is becoming more and more difficult. In many enterprise organizations, it will become impossible to dedicate the time, effort and money to assess the booming number of Web applications. The bottom line is that humans can only look at so many lines of code per day, and as your volume of applications increases, so too must your stable of testers—which can quickly become cost prohibitive.
Logical vulnerabilities
Logical vulnerabilities are security gaps that can be exploited by understanding how an application works and circumventing the typical business flow. While automated scanning tools and skilled pen testers can navigate a Web application, only the tester is able to understand the logic behind the application’s workflow. This understanding enables the tester to subvert the business logic and expose a security vulnerability. For example, an application might direct the user from point A to point B to point C, where point B is a security validation check. A manual review of the application might show that it is possible to go directly from point A to point C, bypassing the security validation entirely.
Search the Library                  Advanced Search
Today's Popular Reports This Weeks Most Popular Reports Most Popular Topics Vendor Directory Home
About Us Contact Us List Your Papers Partner With Us Site Map