AppScan Rethinks Application Security

Tester's Choice: Sanctum's AppScan 2.5, winner of eWEEK's eXcellence Award for enterprise resource protection, offers a creative way to help developers write secure Web app.

As weve seen in our OpenHack online security tests, Web application security is the most difficult part of online security to do right.

Its well-understood how to use firewalls, transport-layer encryption and OS hardening to protect network infrastructure. Whats not well-understood is how an organizations custom applications can be made equally secure.

For example, has anyone in IT considered the security surrounding the application that drives the self-service vacation-time-tracking application, the product-rebate registration site, or the customer promotion sign-up page? These applications are usually written in some kind of Web-scripting language. Because they can be quickly written, they often are, and this haste can lead to significant security vulnerabilities.

Web applications also commonly need to have real-time access to customer databases, so the negative consequences of security bugs are serious. Theres no substitute for an experienced pair of eyes going over code in an audit to make sure that secure coding practices are followed.

A few key things are to ensure that parameters are being initialized properly, that all user input is scanned to ensure values are within reasonable ranges (for example, that a state abbreviation is two and only two letters long) before use, and that all pages check that users have supplied proper security credentials before the page does anything else.

However, a winner in our just-completed second annual eWEEK eXcellence Awards offers a new and highly creative way to help developers write secure Web applications.

Sanctum Inc.s $20,000 AppScan 2.5 took first place in the Enterprise Resource Protection category.

AppScan is an automated security vulnerability scanner for applications. Initially, this idea seemed ridiculous to me because vulnerability scanners rely on known attack databases to do their scanning, and attack databases dont exist for custom applications, just for packaged ones.

However, AppScan relies on the somewhat self-describing characteristics of HTML and its knowledge of several classes of Web attacks to get around this problem. It also probes for the known vulnerabilities of commercial application servers, which is also important when securing Web applications.

We did some internal testing of AppScan 2.5 as part of our judging process. While I still want to do more tests when the next full update comes out in a few months, my experiences so far have piqued my interest. AppScan takes a genuinely new approach to application security.

The software needs to run on a dedicated PC—it installs a customized version of Debian GNU/Linux as part of its installation process.

Once set up, I could configure the software either to do an automated walk through our site or browse a path through the site myself while it recorded my actions.

AppScan parses returned HTML pages and examines HTML forms to see the parameters that each form-handler page is expecting and the name of each parameter. It then calls each page in a Web application that accepts parameters with large numbers of permutations on those parameters and parameter data, in the hope of finding an application bug.

For example, AppScan will test for client-side scripting attacks by including script code blocks in parameter data, then seeing if this script code is displayed on the returned HTML page. It removes parameters altogether or passes bad parameter data such as nulls (hex value 0), empty strings, single quotes, double quotes or SQL code to look for applications that dont filter out these attacks.

Once AppScan has a browse path through a site, it will also try to access pages without going through a log-in process to find internal pages that lack proper user authentication code.

All these security tests reinforce that application developers can never blindly trust data that users provide—be that data in a URL string, data in an HTTP form or data provided in a cookie.

Application security is difficult because there are so many ways to get it wrong—sins of omission are sins of commission when it comes to security. AppScans automated scanning enforces a systematic approach to application security that will catch mistakes humans find all too easy to miss.

West Coast Technical Director Timothy Dyck can be reached at [email protected]