Tuesday, January 09, 2007

Automated Scanner vs. The OWASP Top Ten

The challenges of automated web application vulnerability scanning is a subject of frequent debate. Most websites have vulnerabilities, a lot of them, and we need help finding them quickly and efficiently. The point of contention revolves around what scanners are able to find, or not. Let's clear something up: Scanners don't suck, well some do, but that's not the point I'm making. My business is actually reliant upon leveraging our own vulnerability scanning technology. What I’m describing is setting proper expectations of what scanners are currently capable of on how it affects the assessment process.

Download: Automated Scanner vs. The OWASP Top Ten [reg required]

"The OWASP Top Ten is a list of the most critical web application security flaws – a list also often used as a minimum standard for web application vulnerability assessment (VA) and compliance. There is an ongoing industry dialog about the possibility of identifying the OWASP Top Ten in a purely automated fashion (scanning). People frequently ask what can and can’t be found using either white box or black box scanners. This is important because a single missed vulnerability, or more accurately exploited vulnerability, can cause an organization significant financial harm. Proper expectations must be set when it comes to the various vulnerability assessment solutions."


MikeA said...

I'm surprised that anyone has the balls to say that they can effectively scan for a wide class of vulnerabilities. Even for a very small class it's incredibly difficult (halting problem anyone? [http://en.wikipedia.org/wiki/Halting_problem]).

Some things it's really easy (and appropriate) for a scanner to look for - configuration settings (SSL for example), cacheing (form autocomplete, page directives, cookie settings, etc), and even in some cases pointing out possible XSS (an intelligent scanner can map where an input came from much more effectively than a human). However, it's completely impossible to scan for other types of problems.

This isn't just hitting on webapp scanner vendors though - same is true for source code scanning vendors IMO.

ps. Hey look, two replies in as many weeks - no more lurker status for me :D

Jeremiah Grossman said...

Hey Mike, thanks for the comment. Maybe all it takes is a compelling topic. :)

card scanner said...

Thanks Jeremiah, just the information I was looking for! Can you write a follow up and tell us about your final conclusions? I also need a scanner for my business.