best practices for selecting a webapplicationscanning(was) solution
DESCRIPTION
Web securityTRANSCRIPT
BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION
COPYRIGHT © 2013, QUALYS, INC. 1 MAY 16, 2013
Best Practices for Selecting a
Web Application Scanning (WAS) Solution
With attackers getting more sophisticated every day, manual methods of locating and testing web-based
apps are no longer enough. The right Web Application Scanning (WAS) solution can help you
systematically: discover web apps running in your network, determine whether or not they are vulnerable to
attack, understand how to fix them, and protect your business while fixes are being implemented. With
today’s automated, highly-accurate technology, you can now test all of your apps – in development, QA and
production – whether you have a handful or many thousands. This checklist of best practices will save you
time and help you understand what to look for when selecting a WAS solution.
Architecture
Is the WAS a software product or a Cloud service?
WAS software products that you install in your network
require you to acquire, configure, and manage servers, do
backups and handle patch updates. In contrast, modern
Cloud-based WAS solutions (sometimes called software-as-
a-service or SaaS):
Don’t lock you in with up-front investments in equipment.
Don’t require ongoing updates, database backups, etc.
Can be used immediately from your browser.
Scale easily to handle new apps, users and locations.
Have costs that are more predictable.
Enable results to be stored in an objective, tamper-
resistant way for audits.
Can the WAS scan apps wherever they’re deployed?
Today’s WAS solutions should be used throughout the
lifecycle of your applications – in development, testing, and
production. Modern WAS solutions enable you to scan and
track all of your apps, internal as well as Internet-facing, so
that you can use a single tool everywhere and get a
consolidated view of security across all of your applications.
Can multiple people use the WAS at the same time?
Modern WAS systems provide information about different
applications to different people – all at the same time. It’s
very important to look for WAS solutions that are easy to use
and that allow multiple users to safely scan and report
simultaneously, without interfering with each other.
How does the WAS handle multiple locations?
This is one of the big ways in which WAS approaches differ:
On-premise products: WAS software that you install
yourself uses your internal corporate network to reach
each of the applications being scanned. This can create
bottlenecks in slower, congested portions of your
network or when scanning through firewalls to reach
apps on the Internet.
Basic software-as-a-service: Some limited WAS
services can only check external, Internet-facing apps.
Cloud services: Modern WAS solutions delivered from
the Cloud are specifically designed to scan applications
in many locations at once. These solutions use secure,
remotely-managed scanner appliances (either physical
boxes or virtual machines) that can be placed in different
portions of your network to make internal scanning
efficient and minimize the impact on your other systems.
Do I have to open holes in my firewall?
You should never have to compromise your security by
opening special ports in your corporate firewall.
Does the WAS integrate with other systems?
Web application scanners can be a crucial source of security
intelligence for other security and compliance systems. Look
for WAS solutions that can be used with popular Web
Application Firewalls (WAFs) and that have robust APIs for
integrating with your security information and event
management (SIEM) or risk management (ERM) solutions.
BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION
COPYRIGHT © 2013, QUALYS, INC. 2 MAY 16, 2013
Scanning
What are the top features to look for in a web app scanner?
Web application scanners examine, probe and analyze
responses from your applications, checking for potential
vulnerabilities. Look for WAS solutions that:
Automatically discover lost or hidden apps.
Organize apps into groups for scanning and reporting.
Scale seamlessly from a few apps to thousands.
Scan according to specific schedules you can set.
Log into apps using multiple forms of authentication.
Efficiently scan apps in different parts of your network.
Identify vulnerabilities according to guidelines such as
the OWASP Top 10.
Find malware hidden inside your applications.
Help you prioritize which vulnerabilities to fix first.
Can be used across development, QA and production.
Can be used by multiple people without interference.
Can the WAS discover lost or hidden web apps?
Web applications can potentially appear on your network
unexpectedly, and can be forgotten just as easily. For true
security, you need to find “unofficial” or “lost” applications
hiding in your environment. Look for WAS solutions that can
search your internal and Internet-facing networks to discover
and catalog all of your applications.
How accurate is the WAS?
Accuracy is crucial. A missed vulnerability can leave you
open to attack; conversely, invalid issues (“false positives”)
will waste your IT resources. Test with apps that are
representative of your own technologies and environment.
Is the WAS scalable?
Over time, you can expect the number of web apps you use
to grow. Larger organizations, especially, should look at
WAS solutions that are fast enough and efficient enough to
handle thousands of applications, spread across hundreds of
locations.
Can multiple apps be managed and scanned at once?
Advanced WAS solutions allow you to configure, scan and
report on groups of apps together so that you can manage
security consistently across all of your web applications.
Can scans be run automatically – even continuously?
While WAS solutions should always give you the ability to
manually launch a scan, their real power comes from
automation. You should be able to configure scans for all
your apps in one place and have those scans start and stop
according to schedules that you specify (such as during
maintenance windows) for even to repeat continuously.
Can control of apps be distributed among users?
Modern WAS solutions are specifically designed so that
different groups of users can independently control and view
the scans and reports of their own applications.
Which vulnerabilities does the WAS look for?
The best WAS solutions use industry-standard sources of
vulnerabilities such as the Open Web Application Security
Project (OWASP), the Web Application Security Consortium
(WASC), and MITRE’s Common Weakness Enumeration
(CWE). Look for WAS solutions that can automatically detect
risks such as SQL injection, cross-site scripting (XSS), cross-
site request forgery (CSRF) and URL redirection.
Can the WAS use authentication for deeper scanning?
Many apps require users to log in to use the full functionality
of the application. To realistically test such applications, a
WAS solution must be able to log in as if it were an actual
user, whether through a simple form, a multi-step interaction,
or another authentication mechanism. The best WAS
solutions have you simply supply a username and password
that the scanner automatically uses wherever needed. For
situations in where such insertion isn’t possible, advanced
scanners let you record a user logging in and then replay
those same actions.
Can the WAS detect malware in applications?
Attackers often upload malware into legitimate applications in
order to infect other users. Look for WAS solutions can test
for malicious content (especially new “zero-day” attacks that
can slip by traditional signature-based defenses).
Does the WAS protect scan results for audits?
Auditors will question (and likely reject) vulnerability data that
can be manipulated by your organization. Make sure the
WAS solution stores vulnerability data away from users – for
example, in the Cloud – to prevent tampering.
BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION
COPYRIGHT © 2013, QUALYS, INC. 3 MAY 16, 2013
Reporting
Are vulnerabilities prioritized in reports?
Advanced WAS solutions can rank vulnerabilities by severity,
based on industry standards such as OWASP, WASC, and
CWE. This can help you efficiently determine how and when
to address each issue, which is particularly important for
complying with mandates that require proof that severe
vulnerabilities are being promptly identified and fixed.
Does the WAS give you a continuous view across scans?
To avoid revisiting old issues, look for WAS solutions that
track whether each vulnerability found is: new, being worked
on, already fixed, or accepted as not worth fixing. In addition,
advanced WAS solutions provide “differential reporting” that
highlights changes from one scan to another.
Can you report on multiple applications at once?
While all WAS products allow you to examine the results of
individual scans, look for solutions that can report across
many or all of your apps at once so that you can understand
your overall security automatically.
Can reports be customized to multiple audiences?
To properly fit with your organization’s way of operating, look
for modern WAS solutions that allow reports to be extensively
customized to different audiences and needs – for example,
providing scorecards to executives and details to IT teams.
Can you mark vulnerabilities as accepted?
Some vulnerabilities are more risky to fix than to leave alone.
Look for WAS solutions that let you accept specific
vulnerabilities and not flag them as open issues on reports.
Can data from penetration testing be reported alongside automated scan results?
Sometimes, it can be useful to dive deeply into particular
application vulnerabilities using interactive penetration testing
tools. The most common “pentesting” software, Burp Suite, is
often used to see what information could be compromised.
Newer, automated WAS solutions work with penetration
testing tools to capture and store results that are obtained
manually. This allows vulnerability information from all
sources to be organized, maintained, and reported on
together for a consolidated view of application security.
Fixing/Remediation
Does the WAS guide you in fixing vulnerabilities?
Best-in-class WAS solutions provide information with each
vulnerability to help you understand the underlying cause of
potential problems and what you can do to fix them.
Can the WAS be used to debug apps during development without affecting production versions?
Scanning applications during development significantly
lowers the risk that vulnerabilities will appear when the app
goes into production. Make sure your WAS solution allows
different versions of an application to be scanned and
managed by different users so that your developers can test
without impacting the scanning of your production systems.
Does the WAS work with Web App Firewalls (WAF) to protect your apps with “virtual patches”?
The point of finding vulnerabilities is to protect against them.
But, development resources aren’t always available
immediately and rolling changes into production can take
days or weeks. You may even find issues in code that you
don’t control. Fortunately, security technologies such as Web
Application Firewalls (WAF) can be used to shield your web
apps against malicious input and reduce the risk of an
attacker breaking in. Modern WAS solutions can notify
application firewalls when vulnerabilities are found. This lets
firewall administrators – or the firewall itself – know to create
“virtual patches” for the app to block attempts to exploit the
newly-found vulnerabilities. Look for next-generation WAS
and web application firewall solutions that can work together
to automatically detect and protect against suspicious usage.
Administration
Is system maintenance required for the WAS, such as patching software or doing backups?
On-premise WAS solutions are like other software products:
they often require never-ending administration to keep them
up-to-date and supplied with enough CPU, memory, disk,
and network resources. Cloud solutions eliminate this
burden, allowing you to focus your time and energy on using
your WAS solution instead of caring for it.
BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION
COPYRIGHT © 2013, QUALYS, INC. 4 MAY 16, 2013
Costs
What costs are required for the WAS?
This is an important difference between on-premise and
Cloud solutions:
Costs of the Solution
On-Premise Software
Cloud Service
Upfront hardware (servers, storage, infrastructure)
$
Software usage $ $
Distributed scanner appliances for internal networks
not offered
$
Maintenance $ included
Support $ included
Deployment professional services $
Database admin (including backup) $
Expansion hardware (as needs grow) $
Expansion deployment services $
Integration with other security systems
Custom services
optional APIs
On-premise software: Installing WAS products in your
network can entail a variety of costs – from hardware to
personnel. Capacity planning is crucial. Buy too much
and you waste money; buy too little and you may end up
replacing hardware or paying for additional deployment
services as you grow.
Cloud service: Most Cloud-based WAS solutions are
offered as annual subscriptions that include the latest
software, support, and administration of the platform
from which the solution is delivered. Incremental
services, such as scanners for internal apps, are simply
additions to your subscription. As your needs grow, you
just adjust your subscription without replacing anything.
Are consultants required to run the WAS?
It should be your choice. Consultants can be a great
resource, particularly for complex projects such as
penetration tests that assess your applications at given
points in time. They can also help your IT team address
difficult issues that are uncovered during web application
scans. Many organizations have also found that modern
WAS solutions make it easy and cost-effective to incorporate
app scanning into their regular, ongoing IT operations.
Could I save money by using free, open-source WAS software instead?
Open-source packages eliminate the software usage costs
associated with on-premise WAS solutions, but still leave you
with other expenses: hardware, customization, IT, training,
and support. At some point, you’ll likely need new
capabilities. You’ll either have to pay outside developers to
provide the features you need or increase your internal staff.
Support
What type of support comes with the WAS solution?
Web application issues can appear at any time, day or night
– and often require immediate response. Look for WAS
solutions that offer 24x7x365 support (telephone, email and
online documentation) backed by a contractual service-level
agreement (SLA). Many Cloud solution providers include this
as part of every subscription.
Is training included with support?
Look for WAS solutions that offer live and recorded training
as well as certification programs. Cloud solution providers
often include this in your subscription at no extra cost.
Vendor
Does the vendor have a reputation for quality, accuracy and usability?
Web applications are becoming the front door to many
organizations’ most valuable information. WAS solutions
exist to protect that information – and the business behind it.
Ask for references from businesses similar to yours.
Is WAS a focus for the vendor, or just a feature of another product?
Web application scanning is a sophisticated technology that
requires deep expertise and commitment. Look for vendors
who view their WAS solution as a core part of their business,
not a bullet on a product check list.
Does the vendor make it easy to try the WAS with your own apps, in your own network?
If you can’t try it, don’t buy it. Test WAS solutions in your own
environment with the applications you need to secure.
BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION
COPYRIGHT © 2013, QUALYS, INC. 5 MAY 16, 2013
Useful Resources
To try a web application scanner with your own apps:
A free 14-day trial of QualysGuard Web Application Scanning, the industry’s leading Cloud-
based WAS solution, is available at qualys.com/trywas. See for yourself why many of the world’s
premier companies depend upon QualysGuard WAS.
To learn more about web application scanning, please see:
QualysGuard Web Application Scanning
lets you quickly and easily discover web-
based apps running in your network,
determine whether they’re vulnerable to
attack, understand how to fix them, and
protect your business. To learn more, visit
qualys.com/was.
Web Application Security for Dummies.
This e-book offers a quick, easy-to-read guide
to making your web applications more secure.
Available at qualys.com/wasfordummies.
Hacking Web Apps: Detecting and
Preventing Web Application Security
Problems, by Mike Shema, published by
Syngress, 2012. Written by one of the
industry’s leading authorities on web
application security, this book explains
common web application attacks in clear,
straightforward terms. Available at Amazon.
The Open Web Application Security
Project (OWASP) Top 10 is one of the most-
commonly cited lists of “top security risks”
affecting web applications. See
owasp.org/index.php/Top_10_2010.
The Web Application Security Consortium
(WASC) publishes best-practice security
standards for the Web. See webappsec.org.
The SANS InfoSec Reading Room on
Application and Database Security
provides whitepapers on a variety of
application security topics. See
sans.org/reading_room/whitepapers/applicati
on/.
The Common Weakness Enumeration is a
community-developed dictionary of software
weakness types. See cwe.mitre.org.