This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.
For those doing business in the 21st century, automation is the name of the game. It applies to more general areas of business such as manufacturing and inventory control but it also applies to more technical areas of IT such as web application security. Anytime a business process is not automated, it costs more time, effort, and money – resources that cannot be squandered.
When people are involved in accomplishing business tasks, especially skilled labour in the case of web application security and penetration testing, it creates a considerable burden on everyone. Looking at web vulnerability testing, many resources are required during:
- Project scoping
- Information gathering
- Scanning for web application vulnerabilities
- Vulnerability identification and validation
In any given organization these factors typically involve numerous people: developers, QA analysts, project managers, network administrators, web application developers, information security managements, auditors, and management. Even third-party vendors are often pulled into web security assessment projects. With this many highly-paid staff members working toward a common goal, every business has to automate as much as possible to avoid confusion and expensive bills.
The question becomes: Why? Why is automation important? Every situation is different but there are some commonalities. For starters, you run the risk of duplicated efforts when redundant tests are performed. When you have numerous complex web applications as most of today's online businesses do, this can add up to a considerable amount of unnecessary work. Another issue that management doesn't fully understand is that there's not enough knowledge or time to perform manual web vulnerability testing on all web applications all the time. No one is that smart much less that good at time and project management. If web application security testing is not automated using a proven automated web application security scanner that can test for thousands of potential security flaws, some if not all of the serious web application vulnerabilities can be overlooked. Web security testing goes from being a seemingly benign IT project to a serious business liability.
For example, imagine a custom made web based enterprise resource planning (ERP) system. Such system would have hundreds, if not thousands of visible entry points or attack surfaces and many other "under the hood" that need to be checked for web application vulnerabilities such as SQL injection and cross-site scripting.
Using real life numbers, imagine the ERP system has 200 entry points that need to be checked against 100 different web application vulnerability variants. That means that the penetration tester needs to launch at least 20,000 security tests. If every test had to take just 5 minutes to complete, it would take a web security specialist around 208 business days to complete a proper web application security audit of an ERP system.
An automated web application security scanner such as Netsparker can scan a much bigger custom ERP systems against a much bigger number of web application vulnerability variants in a matter of hours. And unlike a human, an automated security scanner will not forget to scan an input parameter or get bored while trying different variations of a particular attack.
When doing a manual web application security test, you are also restricting the penetration to a number of known vulnerabilities known to the penetration tester. On the other hand, when using an automated web vulnerability scanner such as Netsparker you are making sure that all parameters are being checked against all type of web application security variants. By using Netsparker you are also ensuring that no false positives are reported in the web application security scan results, therefore you do not need to allocate time to validating detected vulnerabilities.
Underscoring the importance of vulnerability testing automation are the popular information security studies. Year after year this research points to the same underlying causes of information risks such as insufficient resources, lack of visibility, and uninformed management. Each of these elements can be addressed by automating security testing processes.
There's no perfect way to test for web security vulnerabilities. However, one thing is for sure: going about it manually and relying on staff expertise alone can be an exercise in futility that you cannot afford to take on because it might cost your business a lot of money and some web application vulnerabilities might go undetected. Do what's best for your business and integrate automation into the web vulnerability testing discussion and into web applications software development life cycle. When using an automated web application security scanner you find more and better vulnerabilities.
There are issues where automation will not help you and manual testing needs to take place, but you don't want your security team to check an input for 100 different possible issues one HTTP request at a time or by trying to analyze the output of a fuzzer. Free your team members' time so they can focus their efforts to the tasks that actually will benefit from their expertise.
Your Information will be kept private.