SlideShare a Scribd company logo

Analyzing the effectivess_and_coverage_of_web_app_scanners

Larry Suto
Larry Suto

This study statistically evaluated the effectiveness of three leading web application vulnerability scanners (NTOSpider, AppScan, and WebInspect) based on their ability to crawl links, test application coverage, find vulnerabilities, and generate false positives across three test applications of varying complexity. NTOSpider significantly outperformed the other tools, finding over twice as many vulnerabilities as AppScan and over 18 times as many as WebInspect, with zero false positives. AppScan missed 88% of vulnerabilities found by NTOSpider, while WebInspect missed 95%. The study concludes that while AppScan and WebInspect may be suitable for simple applications, organizations should have concerns about relying solely on their results for more complex applications due to the number of

Technology
1 of 5
Download to read offline
Analyzing the Effectiveness and Coverage of Web Application Security Scanners By Larry Suto Application Security Consultant San Francisco October, 2007 Abstract This paper summarizes my study of web application scanners and attempt to quantify their effectiveness. This study utilizes a novel methodology I've developed to objectively test the three leading web application vulnerability assessment tools. So far as the author knows, this is the first publicly published study that statistically evaluates application coverage and vulnerability findings by these tools. The study centered around testing the effectiveness of the top three web application scanners in the following 4 areas. 1. Links crawled 2. Coverage of the applications tested using Fortify Tracer 3. Number of verified vulnerability findings 4. Number of false positives One of the most surprising result is the discrepancy in coverage and vulnerability findings between the three tools. Lesser known NTOSpider excelled in every category, and the vulnerability findings show AppScan missed 88% and WebInspect missed 95% of the legitimate vulnerabilities found by NTOSpider. Introduction Testing the capabilities of web application scanners is an ongoing challenge that can be approached in a number of ways; the challenge is to create an objective test that is precise and can be replicated. While previous studies have tested web vulnerability assessment tools, none has statistically tested coverage or vulnerability findings in a precise manner. In this paper I take an approach that allows the data to be quantifiable to distinguish effectiveness (in terms of finding vulnerabilities) between the scanning tools. To do this I employed Fortify's Tracer product which inserts its hooks into actual production J2EE applications to enable measuring the “application security coverage” and then running each of the three top commercial security scanners against the application. This allowed for actual analysis of how much of an application's code base was actually executed during a scan which enabled me to look at the scanners in a new and quantifiable way. Summary The full results of the testing are going to be analyzed in further detail later in the report, but I would like to start off with some of the conclusions first. When looking at the results there are a number of ways to look at the data. There are difficulties around analysis of the overall percentages of the "possible" surface/sink coverage because it is hard to determine what subset of the full list is applicable to what a web scanner is expected to test
(excluding optional features not enabled, alternative database drivers, import/export data features, etc). For this reason, the numbers become unusable and I decided to remained focused on understanding the capabilities of the web application scanners against each other. I started by comparing the results of the scanners against each other in the first two categories. Its interesting to see that the number of links crawled does not always indicate that more of the applications code base is being executed. It is important that the scanner is able to crawl well, but wasting time on redundant inputs only adds to the crawled links, but does not increase coverage of the applications code base. In our tests, NT OBJECTives' NTOSpider product crawled the most links on average, and had the best coverage in all scans; SpiDynamic's WebInspect was able to crawl better than WatchFire's AppScan on one application, but AppScan did slightly better when I looked at the code base it executed. This means that WebInspect wasted time on redundant or otherwise unimportant links. For this study I focused on verifying the findings found by the scanners for accuracy. Again the lesser known NTOSpider from NT OBJECTives had the most findings, lower false positives and most usable reports to aid in remediation.
Methods Methodology The basic idea of the Tracer tool is to place code into the application that will be able to analyze the web application scanner as it accesses security critical areas of the application. Code can be placed manually into the application source as it is built and turned on and off as testing takes place. This is more difficult and time consuming and requires access to the source code and thus the technique most often used is byte code injection which only requires access to the compiled byte code. Software that uses bytecode in its operation (Java/.Net) can leverage techniques that come from the code coverage world such as instrumentation(byte code injection) in which code is inserted during build time or at run time using a custom class loader. Instrumentation adds the new code to the compiled code and thus the source is not necessary. Tracer employs byte code inserted statically into the compiled application byte code. Testing Each scanner was run in default mode and not tuned in any capacity to the application. The importance of this lies in how effective the default mode so that scalability of scanning is not limited by manual intervention and setup procedures which can be very time consuming. Second, in most cases it is simply unrealistic to spend much time with many applications. Each scanner was provided a basic username and password similar to what a basic user would receive. There were issues logging into some of the applications but calls to technical support quickly solved these problems. The Tracer application was configured to monitor each web scanner as it executed its tests. After completing each test run, the results were saved and the monitoring tool was reset for the next scanner. All vulnerability findings were hand vetted to determine if they were true findings or false positives. Detailed Results The following section reports the results of the tests. The analysis for this study was focused on 1) determining how well the scanners covered security sensitive sections of code within an application under test, 2) number of true vulnerability findings and 3) number of false positives. This study did not hand vet the applications to determine if there were any false negatives beyond those in the set discovered by any tool. A set of security sensitive coverage categories were selected from the result set and the presented in the following tables:
Closed Source - Internal Corporate Application Links Database Vuln False Scanner Web API Total API Crawled API Findings Positives NTOSpider 91 20 35 55 0 0 AppScan 113 17 24 41 0 0 WebInspect 91 17 23 40 0 0 Roller - Open Source Blogging platform Links Database Vuln False Scanner Web API Total API Crawled API Findings Positives NTOSpider 736 2 121 123 2 0 AppScan 129 1 98 99 0 5 WebInspect 663 1 68 69 1 10 OpenCMS - Open Source Customer Management application Links Database Vuln False Scanner Web API Total API Crawled API Findings Positives NTOSpider 3,380 47 158 205 225 0 AppScan 742 36 132 168 27 0 WebInspect 1,687 45 140 185 11 3 Totals Links Database Vuln False Scanner Web API Total API Crawled API Findings Positives NTOSpider 4,207 69 314 383 227 0 AppScan 984 54 254 308 27 5 WebInspect 2,441 63 231 294 12 13 The three applications chosen have increasing level of complexity and size. The three scanners all did a reasonable job on the smaller, first application. The second application resulted in some false positives for Appscan and WebInspect. The results for the last application are notable in that both AppScan and WebInspect severely underperformed NTOSpider in all three key areas of the test: 1) application coverage, 2) vulnerability findings and 3) avoidance of false positives. The fact that these results were most evident only in the most complex of these applications may indicate that for security groups to adequately test scanners, they need to use more complex applications. It is not surprising that smaller, less complex applications show less difference between the tools. One would expect fewer true findings and less complexity in crawling the applications. In the aggregate, NTOSpider crawled 328% more links than AppScan and 72% more links than WebInspect; NTOspider covered 24% more of the total APIs than AppScan and 30% more than WebInspect. NTOSpider found 227 total vulnerabilities versus 27 for AppScan and 12 for WebInspect. None of the findings by AppScan or WebInspect were missed by NTOSpider and
AppScan missed 88% and WebInspect missed 95% of the legitimate vulnerabilities found by NTOSpider. NTOSpider had a 0% false positive rate. Appscan had 5 false positives and a 16% false positive rate. WebInspect had 12 false positives and a 52% false positive rate. The false positive findings were of interest because some appeared to be caused by custom 404 error handling routines in the web application, and some simply were based on faulty assumptions. In addition the areas that coverage tool reported as missed were analyzed to determine if there were any security critical sections and also to try and to determine whether it would actually be possible for http based requests to access that portion of the application. Conclusion The most surprising result is the discrepancy in the number of vulnerability findings between the three tools. AppScan and WebInpsect are market share leaders in the space and their companies were both recently purchased by large, sophisticated technology companies (AppScan by IBM and WebInspect by HP). While security professionals testing small, highly secure, simple applications may achieve acceptable results from AppScan and WebInpsect, these results indicate that they may have some concern with relying on the results of these tools for larger applications. The relatively large number of false positives, particularly for WebInspect, is also a matter of some concern. False positives can be difficult for all but the most experienced security professional to identify. If they are not identified, they can cause difficulties by weakening the credibility of the security team with application developers. Additionally, vetting false positives by hand, even by experienced security professionals is a very time intensive process that will increase the cost of the program. While WebInspect has certain tools to reduce false positives, it would appear that this remedy is not necessary if using NTOSpider (and to a lesser extent AppScan). In any case, training the tool to reduce false positives will need to be done by experienced personnel and will increase program costs. Biography Larry Suto is an independent consultant which has consulted for companies such as Wells Fargo, Pepsico, Kaiser Permanante, Charles Schwab and Cisco during his time with Strategic Data Command Inc. based in Oakland, CA. He specializes in enterprise security architecture, risk management, software quality analysis from a security perspective and RF security. Larry has been active in the industry for over ten years and has worked with many fortune 500 companies around the country. Recently his research has included introducing software testing and quality assurance techniques into the security engineering process in order to understand how the effectiveness of security tools and processes can be measured with more accurate and quantifiable metrics. Larry can be reached at larry.suto@gmail.com

Recommended

nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...n|u - The Open Security Community
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
 
API Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackAPI Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackNordic APIs
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingRana Khalil
 
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Sonatype
 
Hackfest 2019 Talk
Hackfest 2019 TalkHackfest 2019 Talk
Hackfest 2019 TalkRana Khalil
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Rana Khalil
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Rana Khalil
 

Recommended

nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...n|u - The Open Security Community
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
 
API Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackAPI Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackNordic APIs
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingRana Khalil
 
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Sonatype
 
Hackfest 2019 Talk
Hackfest 2019 TalkHackfest 2019 Talk
Hackfest 2019 TalkRana Khalil
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Rana Khalil
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Rana Khalil
 
IRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep LearningIRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep LearningIRJET Journal
 
Meet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportMeet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportEran Goldstein
 
vulnerability scanning and reporting tool
vulnerability scanning and reporting toolvulnerability scanning and reporting tool
vulnerability scanning and reporting toolBhagyashri Chalakh
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Andrea Hauser
 
Evento - Fintech Districht - Pierguido Iezzi - SWASCAN
Evento - Fintech Districht - Pierguido Iezzi - SWASCANEvento - Fintech Districht - Pierguido Iezzi - SWASCAN
Evento - Fintech Districht - Pierguido Iezzi - SWASCANSWASCAN
 
IRJET- Testing Web Application using Vulnerability Scan
IRJET- Testing Web Application using Vulnerability ScanIRJET- Testing Web Application using Vulnerability Scan
IRJET- Testing Web Application using Vulnerability ScanIRJET Journal
 
IRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection SystemIRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection SystemIRJET Journal
 
Aliens in Your Apps!
Aliens in Your Apps!Aliens in Your Apps!
Aliens in Your Apps!All Things Open
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
SQL Injection - The Unknown Story
SQL Injection - The Unknown StorySQL Injection - The Unknown Story
SQL Injection - The Unknown StoryImperva
 
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...IJNSA Journal
 
IRJET- Phishing Website Detection based on Machine Learning
IRJET- Phishing Website Detection based on Machine LearningIRJET- Phishing Website Detection based on Machine Learning
IRJET- Phishing Website Detection based on Machine LearningIRJET Journal
 
Software Birthmark Based Theft/Similarity Comparisons of JavaScript Programs
Software Birthmark Based Theft/Similarity Comparisons of JavaScript ProgramsSoftware Birthmark Based Theft/Similarity Comparisons of JavaScript Programs
Software Birthmark Based Theft/Similarity Comparisons of JavaScript ProgramsSwati Patel
 
Splunk for palo_alto
Splunk for palo_altoSplunk for palo_alto
Splunk for palo_altoGreg Hanchin
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Krisshhna Daasaarii
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applicationsijtsrd
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Identifying Vulnerabilities Using Internet wide Scanning Data
Identifying Vulnerabilities Using Internet wide Scanning DataIdentifying Vulnerabilities Using Internet wide Scanning Data
Identifying Vulnerabilities Using Internet wide Scanning DataJamie O'Hare
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...apidays
 

More Related Content

What's hot

IRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep LearningIRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep LearningIRJET Journal
 
Meet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportMeet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportEran Goldstein
 
vulnerability scanning and reporting tool
vulnerability scanning and reporting toolvulnerability scanning and reporting tool
vulnerability scanning and reporting toolBhagyashri Chalakh
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Andrea Hauser
 
Evento - Fintech Districht - Pierguido Iezzi - SWASCAN
Evento - Fintech Districht - Pierguido Iezzi - SWASCANEvento - Fintech Districht - Pierguido Iezzi - SWASCAN
Evento - Fintech Districht - Pierguido Iezzi - SWASCANSWASCAN
 
IRJET- Testing Web Application using Vulnerability Scan
IRJET- Testing Web Application using Vulnerability ScanIRJET- Testing Web Application using Vulnerability Scan
IRJET- Testing Web Application using Vulnerability ScanIRJET Journal
 
IRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection SystemIRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection SystemIRJET Journal
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
SQL Injection - The Unknown Story
SQL Injection - The Unknown StorySQL Injection - The Unknown Story
SQL Injection - The Unknown StoryImperva
 
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...IJNSA Journal
 
IRJET- Phishing Website Detection based on Machine Learning
IRJET- Phishing Website Detection based on Machine LearningIRJET- Phishing Website Detection based on Machine Learning
IRJET- Phishing Website Detection based on Machine LearningIRJET Journal
 
Software Birthmark Based Theft/Similarity Comparisons of JavaScript Programs
Software Birthmark Based Theft/Similarity Comparisons of JavaScript ProgramsSoftware Birthmark Based Theft/Similarity Comparisons of JavaScript Programs
Software Birthmark Based Theft/Similarity Comparisons of JavaScript ProgramsSwati Patel
 
Splunk for palo_alto
Splunk for palo_altoSplunk for palo_alto
Splunk for palo_altoGreg Hanchin
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applicationsijtsrd
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 

What's hot (20)

IRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep LearningIRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep Learning
 
Meet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportMeet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis Report
 
vulnerability scanning and reporting tool
vulnerability scanning and reporting toolvulnerability scanning and reporting tool
vulnerability scanning and reporting tool
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101
 
Evento - Fintech Districht - Pierguido Iezzi - SWASCAN
Evento - Fintech Districht - Pierguido Iezzi - SWASCANEvento - Fintech Districht - Pierguido Iezzi - SWASCAN
Evento - Fintech Districht - Pierguido Iezzi - SWASCAN
 
IRJET- Testing Web Application using Vulnerability Scan
IRJET- Testing Web Application using Vulnerability ScanIRJET- Testing Web Application using Vulnerability Scan
IRJET- Testing Web Application using Vulnerability Scan
 
IRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection SystemIRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection System
 
Aliens in Your Apps!
Aliens in Your Apps!Aliens in Your Apps!
Aliens in Your Apps!
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
SQL Injection - The Unknown Story
SQL Injection - The Unknown StorySQL Injection - The Unknown Story
SQL Injection - The Unknown Story
 
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
 
IRJET- Phishing Website Detection based on Machine Learning
IRJET- Phishing Website Detection based on Machine LearningIRJET- Phishing Website Detection based on Machine Learning
IRJET- Phishing Website Detection based on Machine Learning
 
Software Birthmark Based Theft/Similarity Comparisons of JavaScript Programs
Software Birthmark Based Theft/Similarity Comparisons of JavaScript ProgramsSoftware Birthmark Based Theft/Similarity Comparisons of JavaScript Programs
Software Birthmark Based Theft/Similarity Comparisons of JavaScript Programs
 
Splunk for palo_alto
Splunk for palo_altoSplunk for palo_alto
Splunk for palo_alto
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Mobile Apps Security Testing -3
Mobile Apps Security Testing -3
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applications
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 

Similar to Analyzing the effectivess_and_coverage_of_web_app_scanners

Identifying Vulnerabilities Using Internet wide Scanning Data
Identifying Vulnerabilities Using Internet wide Scanning DataIdentifying Vulnerabilities Using Internet wide Scanning Data
Identifying Vulnerabilities Using Internet wide Scanning DataJamie O'Hare
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...apidays
 
Accuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scannersAccuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scannersLarry Suto
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testingEngr Md Yusuf Miah
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperBhagyashri Chalakh
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspectrohit_ta
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxAardwolf Security
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scannerswensheng wei
 
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011WASecurity
 
Using the Google SafetyNet API for Banking & Finance
Using the Google SafetyNet API for Banking & FinanceUsing the Google SafetyNet API for Banking & Finance
Using the Google SafetyNet API for Banking & FinanceHitesh Sahu
 
Exposed! A case study on the vulnerability-proneness of Google Play Apps
Exposed! A case study on the vulnerability-proneness of Google Play AppsExposed! A case study on the vulnerability-proneness of Google Play Apps
Exposed! A case study on the vulnerability-proneness of Google Play AppsSebastiano Panichella
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
Best Practices For Automating APIs.docx
Best Practices For Automating APIs.docxBest Practices For Automating APIs.docx
Best Practices For Automating APIs.docxDanishMalik88
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsRam G Athreya
 

Similar to Analyzing the effectivess_and_coverage_of_web_app_scanners (20)

Identifying Vulnerabilities Using Internet wide Scanning Data
Identifying Vulnerabilities Using Internet wide Scanning DataIdentifying Vulnerabilities Using Internet wide Scanning Data
Identifying Vulnerabilities Using Internet wide Scanning Data
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
 
Accuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scannersAccuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scanners
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspect
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docx
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scanners
 
Types of Vulnerability Scanning An in depth investigation.pdf
Types of Vulnerability Scanning An in depth investigation.pdfTypes of Vulnerability Scanning An in depth investigation.pdf
Types of Vulnerability Scanning An in depth investigation.pdf
 
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011
 
Using the Google SafetyNet API for Banking & Finance
Using the Google SafetyNet API for Banking & FinanceUsing the Google SafetyNet API for Banking & Finance
Using the Google SafetyNet API for Banking & Finance
 
Exposed! A case study on the vulnerability-proneness of Google Play Apps
Exposed! A case study on the vulnerability-proneness of Google Play AppsExposed! A case study on the vulnerability-proneness of Google Play Apps
Exposed! A case study on the vulnerability-proneness of Google Play Apps
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
Best Practices For Automating APIs.docx
Best Practices For Automating APIs.docxBest Practices For Automating APIs.docx
Best Practices For Automating APIs.docx
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applications
 

Recently uploaded

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 

Recently uploaded (20)

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 

Analyzing the effectivess_and_coverage_of_web_app_scanners

  • 1. Analyzing the Effectiveness and Coverage of Web Application Security Scanners By Larry Suto Application Security Consultant San Francisco October, 2007 Abstract This paper summarizes my study of web application scanners and attempt to quantify their effectiveness. This study utilizes a novel methodology I've developed to objectively test the three leading web application vulnerability assessment tools. So far as the author knows, this is the first publicly published study that statistically evaluates application coverage and vulnerability findings by these tools. The study centered around testing the effectiveness of the top three web application scanners in the following 4 areas. 1. Links crawled 2. Coverage of the applications tested using Fortify Tracer 3. Number of verified vulnerability findings 4. Number of false positives One of the most surprising result is the discrepancy in coverage and vulnerability findings between the three tools. Lesser known NTOSpider excelled in every category, and the vulnerability findings show AppScan missed 88% and WebInspect missed 95% of the legitimate vulnerabilities found by NTOSpider. Introduction Testing the capabilities of web application scanners is an ongoing challenge that can be approached in a number of ways; the challenge is to create an objective test that is precise and can be replicated. While previous studies have tested web vulnerability assessment tools, none has statistically tested coverage or vulnerability findings in a precise manner. In this paper I take an approach that allows the data to be quantifiable to distinguish effectiveness (in terms of finding vulnerabilities) between the scanning tools. To do this I employed Fortify's Tracer product which inserts its hooks into actual production J2EE applications to enable measuring the “application security coverage” and then running each of the three top commercial security scanners against the application. This allowed for actual analysis of how much of an application's code base was actually executed during a scan which enabled me to look at the scanners in a new and quantifiable way. Summary The full results of the testing are going to be analyzed in further detail later in the report, but I would like to start off with some of the conclusions first. When looking at the results there are a number of ways to look at the data. There are difficulties around analysis of the overall percentages of the "possible" surface/sink coverage because it is hard to determine what subset of the full list is applicable to what a web scanner is expected to test
  • 2. (excluding optional features not enabled, alternative database drivers, import/export data features, etc). For this reason, the numbers become unusable and I decided to remained focused on understanding the capabilities of the web application scanners against each other. I started by comparing the results of the scanners against each other in the first two categories. Its interesting to see that the number of links crawled does not always indicate that more of the applications code base is being executed. It is important that the scanner is able to crawl well, but wasting time on redundant inputs only adds to the crawled links, but does not increase coverage of the applications code base. In our tests, NT OBJECTives' NTOSpider product crawled the most links on average, and had the best coverage in all scans; SpiDynamic's WebInspect was able to crawl better than WatchFire's AppScan on one application, but AppScan did slightly better when I looked at the code base it executed. This means that WebInspect wasted time on redundant or otherwise unimportant links. For this study I focused on verifying the findings found by the scanners for accuracy. Again the lesser known NTOSpider from NT OBJECTives had the most findings, lower false positives and most usable reports to aid in remediation.
  • 3. Methods Methodology The basic idea of the Tracer tool is to place code into the application that will be able to analyze the web application scanner as it accesses security critical areas of the application. Code can be placed manually into the application source as it is built and turned on and off as testing takes place. This is more difficult and time consuming and requires access to the source code and thus the technique most often used is byte code injection which only requires access to the compiled byte code. Software that uses bytecode in its operation (Java/.Net) can leverage techniques that come from the code coverage world such as instrumentation(byte code injection) in which code is inserted during build time or at run time using a custom class loader. Instrumentation adds the new code to the compiled code and thus the source is not necessary. Tracer employs byte code inserted statically into the compiled application byte code. Testing Each scanner was run in default mode and not tuned in any capacity to the application. The importance of this lies in how effective the default mode so that scalability of scanning is not limited by manual intervention and setup procedures which can be very time consuming. Second, in most cases it is simply unrealistic to spend much time with many applications. Each scanner was provided a basic username and password similar to what a basic user would receive. There were issues logging into some of the applications but calls to technical support quickly solved these problems. The Tracer application was configured to monitor each web scanner as it executed its tests. After completing each test run, the results were saved and the monitoring tool was reset for the next scanner. All vulnerability findings were hand vetted to determine if they were true findings or false positives. Detailed Results The following section reports the results of the tests. The analysis for this study was focused on 1) determining how well the scanners covered security sensitive sections of code within an application under test, 2) number of true vulnerability findings and 3) number of false positives. This study did not hand vet the applications to determine if there were any false negatives beyond those in the set discovered by any tool. A set of security sensitive coverage categories were selected from the result set and the presented in the following tables:
  • 4. Closed Source - Internal Corporate Application Links Database Vuln False Scanner Web API Total API Crawled API Findings Positives NTOSpider 91 20 35 55 0 0 AppScan 113 17 24 41 0 0 WebInspect 91 17 23 40 0 0 Roller - Open Source Blogging platform Links Database Vuln False Scanner Web API Total API Crawled API Findings Positives NTOSpider 736 2 121 123 2 0 AppScan 129 1 98 99 0 5 WebInspect 663 1 68 69 1 10 OpenCMS - Open Source Customer Management application Links Database Vuln False Scanner Web API Total API Crawled API Findings Positives NTOSpider 3,380 47 158 205 225 0 AppScan 742 36 132 168 27 0 WebInspect 1,687 45 140 185 11 3 Totals Links Database Vuln False Scanner Web API Total API Crawled API Findings Positives NTOSpider 4,207 69 314 383 227 0 AppScan 984 54 254 308 27 5 WebInspect 2,441 63 231 294 12 13 The three applications chosen have increasing level of complexity and size. The three scanners all did a reasonable job on the smaller, first application. The second application resulted in some false positives for Appscan and WebInspect. The results for the last application are notable in that both AppScan and WebInspect severely underperformed NTOSpider in all three key areas of the test: 1) application coverage, 2) vulnerability findings and 3) avoidance of false positives. The fact that these results were most evident only in the most complex of these applications may indicate that for security groups to adequately test scanners, they need to use more complex applications. It is not surprising that smaller, less complex applications show less difference between the tools. One would expect fewer true findings and less complexity in crawling the applications. In the aggregate, NTOSpider crawled 328% more links than AppScan and 72% more links than WebInspect; NTOspider covered 24% more of the total APIs than AppScan and 30% more than WebInspect. NTOSpider found 227 total vulnerabilities versus 27 for AppScan and 12 for WebInspect. None of the findings by AppScan or WebInspect were missed by NTOSpider and
  • 5. AppScan missed 88% and WebInspect missed 95% of the legitimate vulnerabilities found by NTOSpider. NTOSpider had a 0% false positive rate. Appscan had 5 false positives and a 16% false positive rate. WebInspect had 12 false positives and a 52% false positive rate. The false positive findings were of interest because some appeared to be caused by custom 404 error handling routines in the web application, and some simply were based on faulty assumptions. In addition the areas that coverage tool reported as missed were analyzed to determine if there were any security critical sections and also to try and to determine whether it would actually be possible for http based requests to access that portion of the application. Conclusion The most surprising result is the discrepancy in the number of vulnerability findings between the three tools. AppScan and WebInpsect are market share leaders in the space and their companies were both recently purchased by large, sophisticated technology companies (AppScan by IBM and WebInspect by HP). While security professionals testing small, highly secure, simple applications may achieve acceptable results from AppScan and WebInpsect, these results indicate that they may have some concern with relying on the results of these tools for larger applications. The relatively large number of false positives, particularly for WebInspect, is also a matter of some concern. False positives can be difficult for all but the most experienced security professional to identify. If they are not identified, they can cause difficulties by weakening the credibility of the security team with application developers. Additionally, vetting false positives by hand, even by experienced security professionals is a very time intensive process that will increase the cost of the program. While WebInspect has certain tools to reduce false positives, it would appear that this remedy is not necessary if using NTOSpider (and to a lesser extent AppScan). In any case, training the tool to reduce false positives will need to be done by experienced personnel and will increase program costs. Biography Larry Suto is an independent consultant which has consulted for companies such as Wells Fargo, Pepsico, Kaiser Permanante, Charles Schwab and Cisco during his time with Strategic Data Command Inc. based in Oakland, CA. He specializes in enterprise security architecture, risk management, software quality analysis from a security perspective and RF security. Larry has been active in the industry for over ten years and has worked with many fortune 500 companies around the country. Recently his research has included introducing software testing and quality assurance techniques into the security engineering process in order to understand how the effectiveness of security tools and processes can be measured with more accurate and quantifiable metrics. Larry can be reached at larry.suto@gmail.com