Application security Testing should be
process driven and not scan driven. Running a scanner and relying on its
results for identifying security flaws is not a comprehensive way of testing an
application. There is no denying that scanners are helpful. They aid in finding
a wide variety of vulnerabilities present in the application. But in reality
there are many issues that are left untouched by the scanners. Hence, if an
application testing methodology is solely dependent on scanners, then it is
probably incomplete.
The scanners check only for some defined
set of vulnerabilities for all kinds of applications and do not tailor the
scans as per the application types. They neither understand business process of
the application nor its architecture or the design. Thus they are incapable of threat
modeling an application. And due to these reasons security flaws related to business
logic of the applications are mostly left out by the scanners.
Some of such flaws include:
Some of such flaws include:
- Understanding role based access required by different features of the application and pointing out violations in the same
- Pointing out instances of lack of enforcement of business rule related to different features, wherever applicable. For e.g. Transaction limit for funds transfer, etc.
- Identifying all the crucial parameters present in the application that can be altered to gain access to authorized data and functions in the application
What the scanners follow is a standard test
pattern which is generally dependent on sending predefined set of attack
vectors in various input fields of the application and analyzing their
responses. Such scans not only miss out covering application specific cases but they are also incapable of understanding any existing security
control present in the application to make an attempt to modify the attack vectors accordingly to bypass it.
So, we can conclude that by just running
scans for an application we would miss out on:
- Application feature and platform related security flaws
- Determining the correctness of the existing security controls (if any)
There are many good application
security scanners available today that look at most of the well known application security vulnerabilities. However, the
point I want to make here is that just running scanners is not enough. Security
testing methodology must be capable of understanding the application and uncovering
all kinds of security flaws in it even once related to its business logic, rules
and processes.
Organizations must have a well defined application
security testing methodology that includes both automated and manual analysis. Security
scanners should be used to speed up the process of security testing and as an
aid to find all the vulnerable instances of the generic vulnerabilities present
in the application. Whereas manual efforts can go into verifying the scan
results and looking at other security areas untouched by the scanners, ones that
require business sense of the application.
So, let’s make our application security
process comprehensive by just not scanning the application but by following a
good application security methodology. At least until the scanners become
matured enough to handle even the application feature specific scenarios…
No comments:
Post a Comment