Leveraging Automation to Quickly Reveal Vulnerabilities

Information security managers and directors are faced with the enormous responsibility of keeping web applications secure from the menace of hackers. The ever-growing number of security threats and an increasing body of governmental regulations are overwhelming information security teams. With web applications constantly evolving, finding vulnerabilities is a challenging, costly and time-consuming undertaking. How can information security personnel protect sensitive data ? and ultimately, the corporate reputation ? without costly web application security assessment outsourcing?

The solution is automated security assessment products that leverage stateful processing to comprehensively examine web applications and reveal vulnerabilities in hours rather than weeks. These powerful solutions help information security teams quickly identify problems, regularly assess web application security strength and ensure regulatory compliance.

Web Application Security Vulnerabilities

Web application security vulnerabilities are very prevalent. Recently, hackers invaded databases from information industry giant LexisNexis and gained access to more than 30,000 accounts containing personal data such as names, addresses, Social Security numbers and driver's license information. Additionally, payroll-service provider PayMaxx recently exposed the Social Security numbers and related data of more than 25,000 people for tax year 2004. Nearly every day there is a new attack against a web application.

Web Application Vulnerability Testing Challenges

The consequences of failing to protect web applications expose companies to information theft, unhappy customers and stiff penalties when organizations are not in compliance with regulatory requirements.

Even when companies do take steps to protect against web application hacking, they often face overwhelming workloads or exorbitant security assessment outsourcing costs.

Consequences of Forgoing Vulnerability Testing

Information theft: Data theft takes many forms, including siphoning assessed for failing to meet government money from banks and financial institutions, exploiting e-commerce regulatory sites to conduct unauthorized transactions and accessing back-end requirements databases with priceless stores of data. Information theft can force corporations to make financial restitutions and lead to customer loss.

Non-compliance: Web applications that are not in compliance with government regulations, such as Sarbanes-Oxley, GLBA, SB 1386 and HIPAA, can result in severe corporate penalties. With new regulations on the horizon, corporations need a way to assess and respond quickly to regulatory requirements.


The Burden of Testing

Staff overload: Running internal security assessments on web applications is a time-consuming burden on internal information security staff. Skilled hackers have far outstripped the ability of information security staff to deal with them. Testing and securing web applications is more complex than network security. Just one web application may contain tens of thousands of lines of code and countless dynamic interactions between components, making finding security vulnerabilities an extremely daunting task.

Exorbitant costs: When companies can't adequately test and protect their web applications in-house, they must outsource the job to application assessment consultants. Because qualified consultants are rare and very expensive, testing complex web applications for vulnerabilities manually can be very costly and time consuming. Enterprises can easily spend millions of dollars each year on manual penetration testing that covers only a small fraction of their web applications. Even a smaller company can easily spend $25,000 to $50,000 to test an average-sized web application a single time with no assured level of consistency.

Problem Overview

With vulnerabilities on Web-based applications are proliferating and their availability present the rise, web irresistible temptations to hackers. Web applications contain applications vulnerabilities in a myriad of forms. For example, a common hacker increasing in attack is SQL injection, which involves altering the expected content complexity and experts submitted via a form by inserting unexpected text, such as logic hard to come by, security personnel are altering SQL code, often resulting in unrestrained database access. often forced to rely on costly consultants Challenges assessing web application vulnerabilities include:

- Application vulnerabilities are growing every month:

The growth of web application vulnerabilities far outstrips information security professionals' ability to deal with them.

- Web applications are growing in complexity: Web applications are rapidly growing in number and complexity, making it extremely difficult and costly to test and secure even a small percentage of a company's most critical web applications.