Michael Piekarski | September 9, 2020
Vulnerability scanning is something all organizations should be looking into, if they’re not doing it already. Scanning inside and outside the network can help you identify misconfigurations, cyber security gaps or potentially even regulatory shortcomings. The key is to make these scans a habit. After all, just because you’re secure today doesn’t necessarily mean you’ll be secure tomorrow. For example, you could implement a patch and then, before you know it, a hacker will already have found a new workaround. If you’re doing vulnerability scans and you’re doing them regularly, you’re on the right track. However, stopping there still leaves an important part of your environment exposed.
Vulnerability scanners work at the network level. They interrogate every port they can reach, checking to see if it’s open as well as for other details such as its configuration, operating system, etc. Where they struggle, however, is when they encounter a web app. While many enterprise vulnerability scanning platforms offer some level of web application scanning ability, this tends to be very limited. The in-depth explorations they do elsewhere on the network simply aren’t possible with a web app, leaving an attack vector mostly untested. This situation is made worse by the fact that the presence of a web application plugin or option tends to create a false sense of security.
The best way to address these shortcomings and close that gap is with a dedicated web app vulnerability scanner.
Web apps have become essential, but are they secure?
Web apps, websites – they’re all built on their own language (some popular options include .net, nodejs, Python, etc.). Standard vulnerability scanners don’t speak that language, but web app vulnerability scanners do. They’re able to engage with those utilities and can perform the deep dive that standard vulnerability scanners can’t manage.
So, how exactly do they engage with, say, a company’s website? A web app scanner will start by indexing all possible URLs associated with a site, leaning on naming conventions and established patterns to create a detailed site map. Next, it will crawl through each of those pages, interacting with every component, including stored files, utilities, CSS code, etc. So, if for example a web site has a search bar, the web app scanner will interact with it to make sure it’s secure. It will do the same for all of a site’s possible input fields, again looking for details like version number, platform type and so on. As it goes along, it can highlight any causes for concern, feeding that information back to admins who can then address vulnerabilities as they see fit.
And then there’s web apps. Not to knock the work done by independent app dev teams, but the code in a custom or home-brewed app doesn’t go through nearly the level of rigorous testing as something like Microsoft’s SQL Server does. Maybe the initial code used to build the app is a little rushed due to a tight deadline. Or, even if it was spotless when it was first created, security gaps may have opened as time passed. The lack of ongoing updates can leave custom apps at a greater risk of attack. It’s also another area where a web app vulnerability scanner can help mitigate risk.
A web app scanner can authenticate into an app using a variety of roles and permissions in order to compose a comprehensive picture of the tool’s security. Under the guise of these different roles, the scanner can interrogate functions, both in the custom code as well as on the underlying platform upon which the app was constructed. Web app scanners can also check package and dependency versions and internal app logic itself. This level of insight can be applied towards custom APIs, like REST or SOAP.
Scanners can also gauge a web app’s level of security by replicating some of the favorite exploit methods favored by criminals, such as SQL Injection or Remote Code Execution. A scanner can leverage these approaches to simulate an attack and monitor the response. It’s important to tune these tests properly to ensure no real damage is inflicted during the fake attack.
Taking vulnerability scanning beyond the network
Vulnerability scanning is an important part of good cyber security. Some organizations may believe this is enough and so they stop there. That feeling can vanish quickly if an attacker gets into their website or a key web app. Depending on how a network is structured and where the compromised utility lives, that initial breach might only be step one in a much bigger attack.
Arraya Solutions can help your organization implement and manage a comprehensive vulnerability scanning program, one that covers your network as well as web apps. My team can also help you remediate any vulnerabilities surfaced by these scans. Reach out to us today to learn more: https://www.arrayasolutions.com/contact-us/.