Web Application Security Testing White Paper

Web Application Security Testing White Person Paper

1. Web Applications: An attractive mark for hackers

How make you be effectively support web applications from hackers? Your organisation trusts on missionary post critical concern applications that incorporate sensitive information about customers, concern procedures and corporate data. Moving away from proprietary client/server applications to web applications gives you a simpler, cost-effective, highly extensile bringing platform. These applications are more than than a valuable tool to powerfulness your concern operations; they are also a valuable and vulnerable mark for attackers.

Web applications are increasingly the preferable marks of cyber-criminals looking to net income from personal identity theft, fraud, corporate espionage, and other illegal activities. The impact of an onslaught can be significant, and include:

• Costly and awkward service disruptions

• Down-time

• Lost productivity

• Stolen datav
• Regulatory fines

• Angry users

• Irate customers

In improver to protecting the corporate brand, federal and state statute law and industry ordinances are now requiring web applications to be better protected.

As you take action to protect web applications in a timely and effectual manner, you must equilibrate the demand for security with availability, public presentation and cost-effectiveness. Protecting web applications necessitates both zero-day protection and rapid response with minimum impact to trading operations without impacting public presentation or changing system architectures.

2. Web applications are increasingly vulnerable.

Rapid growing takes to emerging problems

The figure of corporate web applications have grown exponentially and most organisations are continuing to add new applications to their operations. With this rapid growing come up common security challenges driven by complexness and inconsistency. New consciousness into web application vulnerabilities, thanks to organisations such as as the Open Web Application Security Undertaking (OWASP), have helped organisations place application security as a priority. But according to a June, 2006 study (www.symantec.com/ about/news/release/article.jsp?prid=20060919_01), piece 70 percentage of software system developers indicated that their employers stress the importance of application security, only 29 percentage stated that security was always portion of the development process.

Overlooked online application vulnerabilities

Unfortunately, it is not just application flaws that are leaving systems vulnerable. In improver to application issues, every web application trusts on a big stack of commercial and usage software system components. The operating system, web server, database and all the other critical constituents of this application stack, have got exposures that are regularly being discovered and communicated to friend and enemy alike. It is these exposures that most organisations overlook when they're considering web application security.

As new exposures are found, spots go a critical portion of managing application security. The procedure of spot direction is complex and hard to make successfully. Even the most proactive IT squad must often reassign critical resources to deploy pressing patches, disrupting normal operations. The clip required to piece responsibly lengthens the window of clip a hacker have to work a specific vulnerability. With one thousands of exposures and spots being announced each twelvemonth the job goes on to grow. Even organisations with the most efficient patching procedures in topographic point can't trust on this alone to protect them from onslaughts targeting web application vulnerabilities.

Hackers look for the way of least resistance

Today's sophisticated aggressors mark corporate information for fiscal and political gain. They cognize they can more easily work exposures in web application tons versus trying to overcome well built web and margin security. Hackers have got a countless figure of exposures techniques to utilize including:

• SQL Injection

• Cross Site Scripting

• Buffer Overflow,

• Denial of Service

The figure of application exposures in commercial applications and unfastened beginning applications is growing at an alarming pace; anywhere from 200 to 400 new exposures are identified every month.

According to zone-h.org, 45% of onslaughts do usage of exposures rather than constellation issues or usage beastly force. Attackers are working difficult to happen and work new exposures in web applications faster then they can be patched. The window of time, from when a hacker places a exposure to when it is communicated and eventually patched, do a fast response defence- scheme critical to forestall a potentially detrimental intrusion.

3. Required: A distant online web application security-testing service

Web applications are increasingly vulnerable and protecting them necessitates a system that can:

• Ensure conformity today

• meet the evolving demands of an organisation for tomorrow

• Respond quickly

To sports meeting this challenge, by the optimal solution should turn up these exposures as they are seen from the hacker's point of view. Therefore a distant online Web application security testing service will best turn to those needs.

A web application security scan should uncover exposure for these attacks:

• SQL Injection

• Blind SQL Injection

• Installation Way Disclosure

• .Net Exception

• Command Execution

• PHP Code Injection

• Xpath Injection

• CRLF Injection

• Directory Traversal

• Script Language Error

• URL Redirection

• Remote File Inclusion

• LDAP Injection

• Cookie Manipulation

• Source Code Disclosure

• Cross-Site Scriptingv
• Cross-Frame Scripting

The security scan must prove exposures for a broad assortment of website components:

• Web Servers

• Web Waiter Technologies

• HTTP Methods

• Backup Files

• Directory Enumeration

• Directory Indexing

• Directory Access

• Directory Permissions

• Sensitive/Common Files

• Third Party Application

The online web application security service must:

• Remotely creep the full website.

• Analyse each file.

• List the exposures establish along with the badness degrees of each vulnerability.

• Launch a series of web onslaughts to detect security.

• Include option to do a seamster made attack

• Be able to accommodate to any web land site configuration.

• Produce moral force tests, which will make relevant studies of online scan findings.

• Provide a constantly updated exposure appraisal

• Include an automatic False Positive Prevention Engine.

• Provide Enhanced Report Coevals for Scanning Comparison. - Must include the ability to make comparing and tendency analysis of your web applications exposures based on scan consequences generated over a selected clip periods.

• Recommend solutions in order to fix, or supply a feasible workaround to the identified vulnerabilities