A good application security program includes a combination of various secure processes, practices, and different tooling options. Choosing the appropriate vulnerability assessment tools should always be the first step in assessing your web application security. These tools help prioritize vulnerabilities based on severity and report the vulnerabilities to allow for a systematic remediation process. Additionally, there are many tools available to choose from. From freeware to open source and commercial tooling options, finding the right tools to serve your purpose can become daunting.
Here are the basic features to look for when choosing suitable vulnerability assessment tools:
Burp Suite is a Java-based integrated platform created by PortSwigger. It performs security testing specifically on web applications. This suite consists of various components like a proxy server, a web spider, scanner, intruder, repeater, sequencer, and decoder. These aid in performing both manual and automated testing on applications.
By configuring your web browser to use Burp Suite as your proxy server, all the traffic can be intercepted, examined, altered, and analyzed to recognize a range of security flaws. It is relatively easy to use and is also customizable. While it is a highly recommended tool, it can present false negatives in areas like stored cross-site scripting, weak access control policies, session hijacking, and cross-site request forgery.
AppScan assesses the security stance of an application throughout the development life cycle. It supports static and dynamic scanning and evaluates source code, web applications, and mobile applications. It’s also worth mentioning several stages through which the AppScan tool functions. Let’s use a website scan as an example. First, it explores the website to collect information from each page. Next, it scans the explored pages. This is where it uses its vast exploit database to test for potential vulnerabilities. Lastly, AppScan provides a report of the exploits that were successful during testing with the information that will be helpful when triaging these results.
AppScan is one of the highest scoring automated web service scanning tools and is highly recommended throughout the cyber security industry. It has customizable scanning policies and various features that also aid manual testing. These include an authentication tester, token analyzer, and HTTP request editor. As with other tools on the market, AppScan also presents many false positives. Circumvent this by triaging the scan results.
Nikto is an open source web server scanner that conducts extensive tests in search of potential security flaws. It has a variety of plugins that extend the support capabilities of the tool. These plugins frequently update with new security signatures.
Nikto is not a stealthy tool as it will create a large number of logs in the server’s log files and hence, a web application with good IDS/IPS in place will figure out that a site scan is taking place. It is also useful when determining the strength of your intrusion detection system. In addition, the Nikto tool uncovers interesting data about the target to utilize for an extensive vulnerability assessment. One downside to this tool is that it reports numerous false positives. However, a manual review follow up will resolve this.
Remember, no tool can detect all types of vulnerabilities. No tool is as efficient on its own as it is with human analysis of the results. The real domination of a vulnerability assessment tool exists in its potential to aid security professionals. Consequently, tools can do the heavy lifting to sort and prioritize activities that have a stronger effect on an application’s security stance. While these highly effective tools generate great results, human competence is a requirement in order to properly analyze and act on those results.
Sakthi Mohan is a security consultant at Synopsys. She recently received her master's in computing security from Rochester Institute of Technology. Sakthi is an emerging security professional specializing in architecture risk analysis, Web application security, and network security.