App Scanning Helps Secure
Weak Spots”>
Strong security means closing every possible entry point for system crackers, and the weak links for many organizations are custom-built Web applications. Two just-released updates to application vulnerability scanners from Sanctum Inc. and SPI Dynamics Inc. will help developers trying to build secure applications.
Custom application security is a new area in the security field because its difficult to build generic software packages that can effectively test home-grown applications. Because every Web application is different, these scanners have to do Web crawls and use dynamic probing algorithms to determine how to attack Web applications. Even then, these scanners have to do a lot of repetitive guessing to look for errors and, as a result, are no substitute for a skilled human audit or regular penetration tests.
However, Sanctums AppScan 3.0 and SPI Dynamics WebInspect 2.0 are good additions to a corporations security tool kit. Both perform thousands of checks and will be sure to catch the security mistakes that creep into Web server configurations or large custom applications. Organizations with outward-facing Web applications developed internally should consider using this type of tool.
eWeek Labs tested late beta code of AppScan; final code is expected to ship by the end of this month. WebInspect 2.0 started shipping last month, and we tested final code.
We found that these applications are very similar: Both parsed Web applications to determine HTML form parameters and then submitted forms with permutations of parameter values such as nulls, quotes, browser script code and SQL commands. Web applications that dont filter out these attacks will likely break in some way, a bug that can sometimes also be a security hole. Both also scan for known Web and application server vulnerabilities.
AppScan breaks its scanning phase into separate categories, and each category of attacks is scanned in parallel. WebInspect, in contrast, does its scanning serially.
The types of probes most useful to custom Web application designers are those that do various forms of parameter and cookie data manipulation to try to find places where developers missed adding necessary input checks.
For example, the packages will pass in file references as hidden parameter values in the hope that the parameter is used to hold a file name that the Web application will display. They modify parameters to include characters such as a pipe symbol or ampersand that can cause Web applications to run operating system commands or add SQL strings to text input values, which, if not filtered out, can allow an attacker to retrieve database data.
Both packages also check for cross-site scripting attacks by passing input with embedded script code to applications and seeing if the script code is displayed on the following page.
Theres also a lot of simple guessing involved. Both packages check for a long list of files and directories that might be present and accessible to the outside world. If developers leave source files with .bak or .old files or other leftover bits such as file transfer logs, theyll be detected this way.
AppScan runs on Windows 2000 servers and costs $15,000 plus a variable annual maintenance fee. This cost covers scanning of all the domain names and IP addresses owned by the purchaser. WebInspect runs on Windows 98, NT or 2000 and will be more expensive than AppScan for most sites: $4,995 per physical server scanned.
Caution Warranted
Although AppScan and webinspects thoroughness will uncover hard-to-find bugs, their aggressive scanning can also cause application server or Web server crashes. As a result, we suggest testing applications in only nonproduction environments. We didnt experience any crashes in our tests, but officials at both companies said it was a possibility.
In addition, because of the invalid input tests these applications do on every Web form they find, garbage data can get stored in an applications database during testing.
AppScan has a few versions under its belt, but this release has been heavily reworked. The previous version of AppScan, 2.5, required a dedicated PC because it installed a customized version of Debian Projects Debian GNU/Linux as its run-time engine. AppScan 3.0 is a Windows application and has a completely new user interface that we found more usable than the 2.5 version. The interface provides clear, step-by-step guidance through site tests and has dynamic filtering controls that let us quickly switch among different sections of a test result.
AppScan is much faster at scanning than WebInspect. A full AppScan security test of one of our sites finished in 6 minutes vs. an hour for WebInspect and delivered similar results.
However, WebInspect has a few advantages that users wanting more control will value. With WebInspect, for example, we could write our own tests using VBScript. (A script editor with method name completion and debugging is also included.) Custom tests in AppScan, in contrast, were limited to three types of simple tests. WebInspect also provides regular expression-based search (and search and replace) features for HTTP request and response data.
In tests, WebInspect stood out for the quality and comprehensiveness of its vulnerability descriptions (see screen, above), which were, by and large, more detailed and had more background information than those in AppScan.
Both packages include information on how to fix or work around found vulnerabilities, although neither had any system of tracking if these fixes were applied. What wed like to see is a way of comparing scans so that administrators can verify that identified problems have been fixed.
AppScan 3
.0 Beta”>
AppScan 3.0 Beta
Sites that need to secure large numbers of custom Web applications and/or Web servers will find AppScan 3.0s speed, relatively low cost and ease of use attractive. However, AppScan should not be used as a replacement for human audits and regular penetration tests.
Cost Analysis
Since a single license covers all the IP addresses a business manages, a single $15,000 AppScan purchase goes a long way. Finding Web application bugs in critical applications before outsiders do is worth this cost.
+Finds custom application and Web server vulnerabilities; very fast scanning engine; easy-to-use interface; flexible filtering tools allow for easy searching of reported vulnerabilities. mCustom rules are limited to simple file detection or parameter manipulation; could crash a tested server or put test data into a tested applications database.
Evaluation Short List
•SPI Dynamics WebInspect
•Kavado Inc.s ScanDo
www.sanctuminc.com/solutions/appscan/index.html
WebInspect 2
.0″>
WebInspect 2.0
USABILITY |
Good |
CAPABILITY |
Good |
PERFORMANCE |
Fair |
INTEROPERABILITY |
Good |
MANAGEABILITY |
Fair |
SCALABILITY |
Fair |
SECURITY |
Good |
SPI Dynamics WebInspect provides a cost-effective way to scan custom Web applications on one or two Web servers for coding vulnerabilities. Web developers will especially appreciate the developer-oriented sections in its vulnerability descriptions. As with Sanctums AppScan, organizations using WebInspect should continue to perform human audits and regular penetration tests.
Cost Analysis
At $4,995 per tested server, WebInspect lets organizations test one or two servers quite cheaply, but costs rise quickly for larger shops.
(+) Finds custom application and Web server vulnerabilities; provides a full programming language and programming tools to write custom rules; information-packed vulnerability descriptions. (-) A full scan of an application took longer with WebInspect than it did with AppScan; could crash a tested server or put test data into a tested applications database.
Evaluation Short List
•Sanctums AppScan
www.spidynamics.com