Hackers are getting smarter; are you?

According to the Open Web Application Security Project (OWASP), a vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application.”

 

While most companies understand what is vulnerability is, there seem to be misunderstandings on what to look for and how to prioritize security.

  • 80 – 90% of applications are built from 3rd party components that often contain critical vulnerabilities [ State of Software Supply Chain Report]
  • 57% of respondents have no clue whether their applications were ever breached [Ponemon Report]
  • Only 4% of the vulnerabilities are low in severity and business impact [Security Trends & Vulnerabilities Review]

Vulnerability Testing Survey

The numbers are conclusive. If your business is online, hackers will find these vulnerabilities. Both customers and investors do not like hearing about security lapses. We already know that such incidents hurt revenues, reputation, and customer trust.

Security analysts recommend finding vulnerabilities before the hackers and suggest that you repair issues to avoid exploitations. Here are our guidelines to help you pick the best vulnerability scanner online.

What Why
1. Recognize Vulnerabilities To identify type and impact
2. Follow Scan Methodology To ensure thorough vulnerability tests
3. Categorize by Severity To set website priorities
4. Zero-Day Detection Cover all threats
5. Online Pen Test For business logic flaws
6. Effective Reporting To convey issues efficiently
7. Remediation Guidance To fix issues

Web-Application-Scanning

1 Recognize Vulnerabilities

There are several types of vulnerability detection tools online. Some scan for top three issues, while others follow a specific list like the OWASP Top 10 or SANS Top 25.

You should look for a scanner that can identify most of the security loopholes that hackers target. This includes the likes of SQL Injection, Cross-Site Scripting, Cross-Site Request Forgery, and other OWASP 10 and SANS 25 weaknesses.

ddos application blueprint

OWASP 10

  • Injection
  • Broken Authentication and Session Management
  • Sensitive Data Exposure
  • XML External Entity
  • Broken Access Control
  • Security Misconfiguration
  • Cross-Site Scripting
  • Insecure deserialization
  • Using Components with Known Vulnerabilities
  • Insufficient Logging and Monitoring

SANS 25

Insecure Interaction Between Components

CWE ID Name
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)

 

Risky Resource Management

CWE ID Name
CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE-494 Download of Code Without Integrity Check
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CWE-676 Use of Potentially Dangerous Function
CWE-131 Incorrect Calculation of Buffer Size
CWE-134 Uncontrolled Format String
CWE-190 Integer Overflow or Wraparound

 

Porous Defenses

CWE ID Name
CWE-306 Missing Authentication for Critical Function
CWE-862 Missing Authorization
CWE-798 Use of Hard-coded Credentials
CWE-311 Missing Encryption of Sensitive Data
CWE-807 Reliance on Untrusted Inputs in a Security Decision
CWE-250 Execution with Unnecessary Privileges
CWE-863 Incorrect Authorization
CWE-732 Incorrect Permission Assignment for Critical Resource
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
CWE-307 Improper Restriction of Excessive Authentication Attempts
CWE-759 Use of a One-Way Hash without a Salt

 

Resource: Cheat sheets OWASP and SANS

 

2 Follow Testing Methodology

Whether it is automated, online vulnerability scanning or manual penetration testing, it is critical that the vendor understands the guidelines laid down by leading web application security bodies. It is a complex 12-step process which includes application logic mapping, configuration, and proper documentation before publishing results.

Talk to the vendor about what process they follow and use the following document/diagram as the foundation of your conversation.

Pen Test Companies

 

3 Categorize by Vulnerability Severity

This the most important piece of application security metric that you should have. Whether you are using automated testing, penetration testing/ethical hacking or a combination of both, the report should highlight exposure in detail.

A more comprehensive view of these vulnerabilities will also emphasize the risk severity and business risks of each vulnerability.

Application Security Metrics 1

It will help your business to prioritize what’s more critical and what should be fixed first.

Security Metrics Severity

Your vulnerability scanner should be able to identify the vulnerabilities based on their business impact.

4 Zero-Day Detection

Did you know that AppTrana Scanning found over a hundred new vulnerabilities last year?

A zero-day vulnerability is a flaw in software that is unknown to the party or parties responsible for patching or otherwise fixing the flaw.

Most scanning tools are not updated to look for new vulnerabilities. They often will run on code and logic wrote years ago. That is why it becomes important to find a scanning vendor that not only logs zero-day issues but also updates their product to find such problems in your application.

Botnet Attacks

5 Pen Testing

Online businesses need both automated and manual testing to find deep vulnerabilities in their critical application systems (backend/frontend servers, APIs, etc.). While automated scanners are quick in uncovering common issues, you will also need periodic penetration testing to ensure that business logic issues are also detected.

Often applications have security loopholes that are exclusive to their business. The following are some notable examples.

 -An e-commerce site allows users to add items to cart, view a summary page and then pay. What if they could go back to the summary page, maintaining their same valid session and inject a lower cost for an item and complete the payment transaction?
-Can a user hold an item infinitely in the shopping cart and keep others from purchasing it?
-Can a user lock an item in a shopping cart at a discounted price and purchase it after several months?
-What if a user books an item through a loyalty account and gets loyalty points but cancels before the transaction could be completed?

Ensure that your online vulnerability scanning provider uses a pen testing team that can help you out when needed.

 

6 Effective Reporting

Simply publishing the vulnerabilities found during scanning is not the best way to conduct reporting. Often business managers and developers look for insightful reports that lay down the essential points and help them to understand what’s wrong and what the risk is.

Pentest Process

An ideal web scanning report should include the following points:

  • Number of vulnerabilities
  • Types of vulnerabilities
  • Criticality of vulnerabilities
  • Business impact
  • Observations from the tester
  • Analysis

 

7 Remediation Guidance

Efficient scanning companies do more than state the problem; they offer detailed suggestions on how vulnerabilities can be mitigated. For instance, AppTrana has an end-to-end remediation workflow function integrated with all its scans. Security analysts thus send their mitigation guidelines to developers.

 

Instant Protection

You should also look at other mitigation options too such as Web Application Firewall that virtually patch the vulnerability- so hackers cannot exploit them.

The tightly-integrated WAF and Scanner modules ensure that there is constant learning which is shared across both, improving the efficacy of detection & protection for all types of attacks. Look for scanning vendors that offer such integrated plans (Scan+WAF) so that you can use as your security needs grow.

DDoS WAF

Test the AppTrana Vulnerability Scanning with Web Application Firewall (WAF) and DDoS Protection, and get our Free Forever Web Scanning.

Start a Free Trial

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.