Eric Ogren

Web application security -- time for services

July 11, 2007 9:00 AM EDT
Web application security, like other forms of vulnerability scanning is as much an art as science. The vendors are pretty good at detecting known vulnerabilities, and generating lovely reports for IT on all that they've found. However, for all of the advances in the technology, the vendors are unable to tell their customers that their customer-facing applications are secure or to articulate business benefits beyond meeting a PCI requirement.

All the vendors report the same class of faults, and they have been around for a decade. Cenzic reports that 19% of Web application vulnerabilities are forms of cross site scripting, while White Hat will tell you that 2 out of 3 scanned sites will uncover an XSS vuln. The other vendors (Ounce, SPI/HP, Veracode, Watchfire/IBM, etc) have similar observations. Don't get me wrong, I believe application scanning is an extremely valuable tool. It's just that the vendors position it poorly - as a developer tool rather than an operational IT tool or service.

If you are a product vendor, I believe you are irresponsible if you do not build application scanning into your development process, especially for privileged Web-based administrative functions. I noticed a number of XSS vulnerabilities reported in the NIST CVE database. This can create a real risk of privilege escalation y an attacker. If those folks miss well understood XSS problems, what else might be lurking in their products?

If you are in IT, your issue is keeping you organization's production applications as secure as reasonably possible. This means a scanning regimen to catch new attacks, detect new Web servers, and changes to existing applications. You are far more interested in production environments than staging test beds. Report on the number of vulns found and fixed by application as incentive for development teams. There is really no need for you to own a product here - use an independent service or better yet two. Change service vendors every year or two to get fresh approaches to discovering vulns as each vendor has different discovery strengths.

If you are a Web application scanning vendor, then start building a service infrastructure and business model. This will be an increasingly important part of your business. It works for Qualys; it can work for you. Equally important is to find some way to show your value to business managers. IT doesn't care to judge coding quality of internal applications, they want a secure healthy business. (Web application firewalls learned this lesson years ago. Those that looked at customer business value morphed into important application acceleration products; those that only fought the good security fight perished.) Talk to your customers about industry norms for Web site security, application availability improvements, or useful Web site profiles. Maybe even look at scanning the complete application environment - network, databases, user accounts - to solve more of the customer application security problem.