|
|
|
Business Process Overview
What Business Hurdles Exist in Web Application Security Programs?
The Problem Space is Challenging to Define
While scanning a network is fairly straightforward (scan a range of IP addresses by port) Web Applications can be harder to identify. More than one Web Application can be on a single IP address, on a virtual host, so a straight scan of that IP address may miss applications.
It is also extremely difficult to agree on a common definition of an application. An online program that handles E-Mail, calendaring and contacts could be one application or 3. Links are also not a good metric. A single group of code responsible for a calendar, for example, can create an infinite number of links.
|
|
The Politics of Scanning
Simply scanning an application can often create problems. Some applications are on subnets that are not available to security teams. Some web application scanner attacks will trigger intrusion detection/prevention systems.
Security teams must convince application owners that their web application scanners are completely safe. This can be difficult because most scanners run destructive tests that can delete database tables.
NTOSpider is designed to be completely safe its default mode. NTOSpider tests for the vulnerability to destructive attacks, as opposed to making these attacks and risking damaging databases. Novice users can kick off scans in minutes, without fear of damaging production web applications.
|
|
Running Web Application Scanners
Running automated scans of Web Applications is also non-trivial. Web Applications are all unique and contain a series of technologies that make them very difficult for first generation scanners to scan without human monitoring and intervention.
While it may seem like a nuisance to have a human monitor a single scan, implementing the thousands of quarterly scans required by large enterprises makes human intervention an impossibility. Worse, inexperienced operators can think that they are scanning entire applications while they are missing most of the application, leaving multiple vulnerabilities undiscovered.
NTOSpider is the only fully automated scanner on the market with support for executing the full range of JavaScript functionality. It is designed so that human interaction is possible, but not required.
For more information on issues to consider when choosing a web application scanner, please read the NTOBJECTives white paper, "Application Vulnerability Scanners: Understanding Your Organization’s Needs."
|
|
Difficulty of Consolidating Root Causes
As mentioned above, a single block of code can create thousands of vulnerable links. Worse still, a single link can have multiple variables (day, month, year, user, etc.) that are each vulnerable in multiple ways. Security teams cannot simply tell developers to fix thousands of vulnerabilities. They must be able to consolidate these into a small number of root causes that can actually be repaired by the development team.
Developers are paid to write new code, not fix old code. They are focused on hitting deadlines for new applications, not repairing old ones. Moreover, many security teams do not have a background in application security and do not speak the same language as the application developers. Unless developers are given a concise, clear, accurate list of vulnerabilities, the communication costs of remediation can dramatically increase the cost of remediation.
NTOSpider creates a concise list of vulnerabilities grouped by type, risk, root cause and group responsible for remediation. Vulnerabilities also have real-time attack replication by using the validate button. This allows security teams to consolidate vulnerabilities for remediation and clearly communicate them to development teams.
|
|
Remediation Assignment Is Difficult
Most vulnerability scanners provide a large list of vulnerabilities. Security teams must not only weed out false positives and try to consolidate by root cause, they must also break these vulnerabilities out by the team responsible for remediating them.
NTOSpider groups vulnerabilities by the teams responsible for remediating them, expediting the ability assignment of vulnerabilities by security teams.
|
|
Prioritization is difficult
Any large enterprise, no matter how careful, will have thousands or tens of thousands of vulnerabilities. There are so many applications and so many possible coding oversights that can create vulnerabilities that there is no avoiding this. Moreover, while many enterprises will have spent significant dollars manually testing and securing their most critical applications, smaller ones will have been largely ignored.
NTOSpider categorizes vulnerabilities as high, medium, low or informational, based on how easy they will be for hackers to exploit. NTOSpider also reports on the priority of the application by its functionality (whether it has authentication, whether it accepts credit cards, etc). This allows security teams to quickly prioritize vulnerabilities by their business risk to the enterprise.
|
|
Applications Have no Owners
In some cases, the problem of assigning remediation is made nearly impossible because the application in question is no longer under development and has no owner. Security teams have no one to assign remediation to.
For this reason, NT OBJECTives has created a remediation service within its professional services division. NT OBJECTives consultants can review a site’s security architecture and create custom code that can be inserted to remediate the vulnerability. This can be explained to client developers who can insert the code or, it can be implemented by NTO consultants under their supervision.
|
|
Budgetary Difficulties
In many organizations, either there is no defined budget for web application security or it is divided up among different groups. Additionally, because remediation requires cooperation among groups, enterprises can spend significant time coordinating and trying to find budget, as opposed to starting to remediate problems.
For more information on the budgetary problems surrounding web application security, please read the NT OBJECTives white paper Budgetary Aspects of Web Application Security.
|
|
|
|
