In the world of information security there exist many tools, from small open source products to full appliances to secure a system, a network, or an entire corporate infrastructure. Of course, everyone is familiar with the concept of a firewall – even movies like Swordfish and TV shows like NCIS have so very perfectly described, in riveting detail, what a firewall is. But there are other, perhaps less sexy utilities in a security paradigm.
Various concepts and security practices – such as using complex passphrases, or eschewing passphrases entirely, deeply vetting email sources, safe surfing habits, etc. – are increasingly growing trends among the general workforce at large, especially with the ubiquity of computers at every desk. But security in general is still unfortunately looked at as an afterthought, even when a lack thereof begets massive financial loss at a seemingly almost daily level.
Security engineers are all too often considered an unnecessary asset, simply a menial role anybody can do; A role that can be assumed as yet another hat worn by developers, system administrators, or, well, perhaps just someone who only shows a modest capability with Excel formulas. Whatever the reason for such a decision, be it financial or otherwise, the consequences can be severe and long-lasting. Sony underestimated the value of a strong and well-equipped security team multiple times, choosing to forego a powerful army in lieu of a smaller, less outfitted and, thus, thinner stretched but cheaper alternative. This, in turn, yielded among the largest multiple security breaches to ever be seen, especially by a single corporation. Were their security department better outfitted with the right tools, it is quite possible those events would have played out entirely different.
Using the Right Security Tools
So, what constitutes “the right tools”? Many things. A well-populated team of capable security engineers certainly can be considered a valuable tool in building a strong security posture within an infrastructure. But, more specifically and very critically, it is what assets those engineers have at their disposal that may mean the difference between a minor event that never even makes it outside the corporate headquarters doors, and a major event that results in a corporation paying for identity theft protection for millions of customers. Those tools of course vary widely depending on the organization, but one common element they all do – or at least absolutely should – share is a web application security scanner.
What is a Web Application Security Scanner?
A website that accepts user input in any form, be it URL values or submitted content, is a complex beast. Not only does the content an end user provides change the dynamics of the website, but it even has the potential to cripple that website if done maliciously and left unprotected against. For every possibility of user content, the amount of potential attack vectors increases on a magnitude of near infinity. It is literally impossible for a security engineer, or even team thereof, to account for all these possibilities by hand and, especially, test them for known or unknown vulnerabilities.
Web scanners exist for this very purpose, designed carefully to predict potential and common methods of attack, then brute-force test them to find any possibility of an existing vulnerability. And they do this at a speed impossible for humans to replicate manually. This is crucial for many reasons, namely that it saves time, it is thorough and comprehensive, and, if designed well, adaptive and predictive to attempt clever methods that even the most skilled security engineer may not immediately think of. Truly, not using a web security scanner is only inviting potentially irreparable harm to a web application and even the company behind it. But the question remains: Which web scanner works the best?
Options Galore - How to Choose Which Web Scanner is Right for You
Many websites and web applications are like a human fingerprints, with no two being alike. Of course, many websites may use a common backend engine – Wordpress, an MVC framework like Laravel or Ruby on Rails, etc. – but the layers on top of those engines, such as plugins or custom coded additions, are often a quite unique collection.
The backend engine is also not the only portion to be concerned with. Frontend vulnerabilities may exist with each of these layers, such as cross-site scripting, insecurely implemented jQuery libraries, and add-ons, poor sanitization against AJAX communication models, and many more. Each layer presents another nearly endless array of input possibilities to test for vulnerabilities.
A web scanner needs to be capable of digging through these unique complexities and provide accurate, reliable findings. False positives can waste an engineer’s time, or worse, send a development team on a useless chase to perform unit tests, wasted looking for a falsely detected vulnerability. And if the scanner is difficult to understand or provides little understanding of the detected vulnerabilities, it makes for a challenging or undesirable utility that may go unused. Indeed, a well-designed web security scanner that delivers on all fronts is an important necessity for a strong security posture and a better secured infrastructure.
There is no one perfect solution that will solve all problems and completely secure your website such that it becomes impenetrable. Further, a web security scanner will only be as effective as the security engineers or developers fixing all flaws it finds. A web security scanner is only the first of many, many steps, but it indeed is an absolutely critical one for a powerful security posture.
Indeed, we keep returning to that phrase – security posture – because it is a perfectly analogous way to look at web application, system, and infrastructure security for both what it provides and what is required for good posture: a strong backbone. Focused visibility and a clear view of paths over obstructions is not possible with a slouched posture. Nothing will provide that vision as clearly as a web security scanner will, and no backbone is complete without a competent and useful web security scanning solution at its top.