Web Application Security
Enterprise-class web application scanning solutions are broader, and should include a wide range of tests for major web application vulnerability classes, such as SQL injection, cross-site scripting, and directory traversals. An enterprise solution should also be capable of scanning multiple applications, tracking results over time, providing robust reporting (especially compliance reports), and providing reports customized for local requirements.
Building a Web Application Security Program Whitepaper
Web applications have become the Achilles heel of IT security. Web application vulnerabilities are now the most prevalent at more than 55 percent of all server vulnerability disclosures. This figure does not include vulnerabilities in custom-developed web applications, so it may be just the "tip of the iceberg," according to IBM's analysis.
Vulnerabilities in web applications may take any of two dozen forms. Many attacks use fault injection, which exploits vulnerabilities in a web application's syntax and semantics. In simple terms, here an attacker manipulates data in a web page Uniform Resource Indicator (URL) link to force an exploitable malfunction in the application. The two most common varieties are SQL Injection and Cross-site Scripting. The outcome often gives an attacker control over the application and easy access to the server, database, and other back-end IT resources.
Countermeasures for Securing Web Applications
Web application vulnerabilities are often outside the traditional expertise of network managers. Their built-in obscurity helps evade traditional network defenses — unless an organization takes deliberate countermeasures. Unfortunately, there is no "silver bullet" for detection. As with network security, the best strategy is a multi-layer approach. Detection and remediation may require source code analysis. Detecting other vulnerabilities may require on-site penetration testing.
The good news is most prevalent web application vulnerabilities can be detected with an automated scanner. Scanning web applications supplements and compliments manual testing by performing likely attacks on target applications. Automated scanning can provide many benefits:
- Lowers total cost of operations by automating repeatable testing processes.
- Identifies vulnerabilities of syntax and semantics in custom web applications.
- Performs authenticated crawling.
- Profiles the target application.
- Ensures accuracy by effective reduction of false positives and false negatives.
How Qualys Helps You Secure Web Applications
QualysGuard® Web Application Scanning (WAS) is an automated web-based service that enables organizations to assess, track and remediate web application vulnerabilities. The use of QualysGuard WAS presumes no specialized knowledge of web application security. The service allows you to execute comprehensive, accurate vulnerability scans on custom web applications such as shopping carts, forms, login pages, and other types of dynamic content. Delivered on demand, the service allows you to:
- Crawl web applications.
- Identify cross-site scripting and SQL injection vulnerabilities.
- Detect sensitive content in HTML based on user settings.
- Conduct authenticated and non-authenticated scanning.
QualysGuard WAS automates techniques used to identify most web vulnerabilities and delivers a broad scope of coverage for testing web application vulnerabilities such as those in the OWASP Top 10 and WASC-TC, including SQL injection, cross-site scripting, and web site misconfigurations. The WAS scanning engine combines pattern recognition and observed behaviors to accurately identify and verify vulnerabilities.
QualysGuard WAS draws upon the same highly accurate scanning infrastructure and technology as Qualys' flagship solution QualysGuard. Users can manage security of web applications, launch scans and generate reports using the familiar QualysGuard user interface. Insightful, easy-to-grasp reports provide both business and technical managers with an instant snapshot of the status of web application security. The pre-built and fully customizable reporting capabilities provide a straightforward substantiation of security and compliance levels, and serve as documentation to internal auditing teams and external regulators.
And because QualysGuard WAS is delivered via software-as-a-service, it allows you to achieve these benefits at a fraction of the cost associated with traditional software and manual solutions.