View Web Application Security White Papers

The Case for Integrating Selenium and Application Security Testing

In this white paper, we explain Selenium, the benefits of integrating application scanners with it and then compare the two scenarios that enable the application security scanner to piggy-back on the application knowledge built into Selenium.

Application Security Solutions Buyers Guide

In this paper, we describe the requirements that we think are the most important when selecting a scanner. When you choose a scanner that meets these requirements, you improve your chances of getting the most automated, accurate and easy to manage scanning solution for any deployment model combination of software, SaaS and services.

The Widening Web Application Security Scanner Coverage Gap in RIA, Mobile and Web Services

The research detailed in this white paper explains the technologies used in modern applications, demonstrates why they create challenges for modern web scanners and details how you can determine if scanners are effectively scanning and attacking these newer technologies.

Top 10 Business Logic Attack Vectors

While automated web application assessment tools can accomplish a significant amount of vulnerability testing, some aspects of applications must be tested manually. Business logic flaws defy easy categorization and can be more art than science to discover. The purpose of this white paper is to give an overview of several types of business logic attacks as well as some tips to pen testers on how to test for these types of vulnerabilities.

Detecting Persistent Cross-Site Scripting

Too frequently when businesses think about the dangers presented by hackers, they think exclusively about intrusion. The notion that a hacker will go in and steal vital business data or customer information can keep executives and IT managers alike tossing in their sleep. Businesses spend far less time focusing the increasing problem that hackers might attack their customers through their website. This type of attack is known as Cross-Site Scripting.

Phishanomics: The Economics of Phishing, the iFrame Attack and the Brand ROI of Security Spending

This paper will argue that the iframe attack (popularized by the Bank of India hack) has fundamentally altered the way that security professionals must defend less important websites. By allowing phishers to leverage a company’s brand to steal from users, the iframe attack has made an entirely new class of formerly unimportant sites into material security concerns.

Is Your Website Already Infected?

Advances in hacking technology have created an entirely new class of attacks that enterprises need to address. Many websites unknowingly host malicious html content that can attack their users. Primarily there are two ways that malicious html appears on websites. Either way, the website compromises its users’ security by hosting malicious content and it should take actions to remove it and prevent it from re-appearing.

The Problem with Known Vulnerability Checking

Most web applications are custom coded and require significant expertise to protect. The application security landscape remains a target rich environment for hackers. Some owners of web applications have turned to traditional network scanning companies to test their web applications using the same signature-based methodology used to test for layer 6 vulnerabilities.

Web Application Vulnerability Scanners: Understanding Your Organization’s Needs

With the proliferation of application security products, namely vulnerability scanners, many organizations are struggling to understand what features are most important to them and their unique security concerns. This solutions white paper explores 10 important questions that assist in identifying your organization’s needs from such solutions, regardless of vendor.

Budgetary Aspects of Web Application Security

Many organizations are discovering that they are extremely vulnerable to web application hacks. Perimeter protection and network security provide some protection, but the majority of these threats occur at the Web application layer, and it is critical for organizations to put comprehensive programs in place that include application security. Many organizations wonder why the security investments they have already made are no longer sufficient. This article provides guidance for including Web application security in your overall strategy, and best practices for planning and budgeting for it appropriately.

Web Application Exposure to Risk: Raising Awareness to Build Confidence and Improve Security

Web applications possess a given level of inherent security exposure based on numerous variables associated with their environment and intended functionality. In this technical white paper, NTO outlines the important considerations and policies required to proactively understand threat exposure and how to leverage this knowledge in order to mitigate security concerns and build effective policies to minimize security risk.

If You Can’t Crawl It, You Can’t Test It

Performing vulnerability assessments and penetration tests of web applications is the traditional method of collecting the data needed by enterprise to ensure the application meets internal security and risk mitigation guidelines. But collecting accurate and usable data has been a much more difficult challenge then expected and continues to plague security teams responsible for Application Security.