Web-facing applications are the attack vector of choice for today’s hacker, as cybercriminals continue their flight from perimeter-based attacks. The TSYS information security consultant, who cited data that 60% of total attack attempts on the internet target applications, demonstrated during her CSI presentation that the abundance of open-source application security tools available on the web can complement those expensive web application scanners many organizations employ.
And the best part is that organizations can increase web application security without adding a penny to the budget. All it really requires is a bit of time and effort.
A great place to start, said Westphal, is with guidance docs put out by SANS and OWASP, as both organizations provide guidelines on common programming errors and application vulnerabilities.
But what the IT security consultant was really there to do was provide examples of some free, online penetration testing tools available for security pros. Westphal suggests using these tools, in addition to paid web application scanners, to help those responsible for security programs help avoid programming errors leading to attacks like cross-site scripting, cross-site request forgery, and SQL injection.
While it may not be security’s job to fix the vulnerabilities, any comprehensive program should include testing for them said Westphal. “Once we find this stuff, we want to hand it over to the application developers.”
All the tools Westphal suggested were free, but they also go further than commercially available scanners. “If you talk to any application pen tester who does this for a living, they will tell you your scanner is not going to tell you everything”, she claimed.
Before using the testing tools she recommends, Westphal said one of the rather low-tech ways to help understand programming errors is mapping a simple flow chart illustration of the application’s behavior. What it shows you, that a web scanner cannot, is the logic that is built into the application.
“Flow charting will help you to understand the different components”, she affirmed. “It will help you understand what direction you are going in, because a lot of these tools are manual.” This, she added, will help you understand scanning results more easily.
Some of the free, open-source web application testers Westphal suggested include:
She added that open-source scanning tools, which do contain some bugs, should be used within a development environment whenever possible to avoid disruption of services. “People don’t like it when you take production applications down while scanning”, Westphal warned.
The other problem with the open-source tools, said Westphal, is they tend to crash often. This is why multiple scanners should be employed, not only to mitigate against this reality, but also because they tend to find different vulnerabilities.