Friday, 18 May 2012

Don't Just Scan!

Application security Testing should be process driven and not scan driven. Running a scanner and relying on its results for identifying security flaws is not a comprehensive way of testing an application. There is no denying that scanners are helpful. They aid in finding a wide variety of vulnerabilities present in the application. But in reality there are many issues that are left untouched by the scanners. Hence, if an application testing methodology is solely dependent on scanners, then it is probably incomplete. 

The scanners check only for some defined set of vulnerabilities for all kinds of applications and do not tailor the scans as per the application types. They neither understand business process of the application nor its architecture or the design. Thus they are incapable of threat modeling an application. And due to these reasons security flaws related to business logic of the applications are mostly left out by the scanners. 

Some of such flaws include:
  • Understanding role based access required by different features of the application and pointing out violations in the same
  • Pointing out instances of lack of enforcement of business rule related to different features, wherever applicable. For e.g. Transaction limit for funds transfer, etc.
  • Identifying all the crucial parameters present in the application that can be altered to gain access to authorized data and functions in the application
...and many more.

What the scanners follow is a standard test pattern which is generally dependent on sending predefined set of attack vectors in various input fields of the application and analyzing their responses. Such scans not only miss out covering application specific cases but they are also incapable of understanding any existing security control present in the application to make an attempt to modify the attack vectors accordingly to bypass it.

So, we can conclude that by just running scans for an application we would miss out on:
  • Application feature and platform related security flaws
  • Determining the correctness of the existing security controls (if any)
There are many good application security scanners available today that look at most of the well known application security vulnerabilities. However, the point I want to make here is that just running scanners is not enough. Security testing methodology must be capable of understanding the application and uncovering all kinds of security flaws in it even once related to its business logic, rules and processes.

Organizations must have a well defined application security testing methodology that includes both automated and manual analysis. Security scanners should be used to speed up the process of security testing and as an aid to find all the vulnerable instances of the generic vulnerabilities present in the application. Whereas manual efforts can go into verifying the scan results and looking at other security areas untouched by the scanners, ones that require business sense of the application.

So, let’s make our application security process comprehensive by just not scanning the application but by following a good application security methodology. At least until the scanners become matured enough to handle even the application feature specific scenarios…

No comments:

Post a Comment