Checking for signs of weakness

The two web application firewalls from KaVaDo and Sanctum come with companion application vulnerability scan products to enhance the total security provided for the application. While no scan software can provide the depth of vulnerability discovery and analysis that would come from a professional penetration test, we found that each of the scanners we reviewed brought useful information into the security planning process.

KaVaDo ScanDo

KaVaDo’s ScanDo is a rarity among network security software: It’s easy to use, it works well, and it looks good. The built-in options for scanning are comprehensive, enabling vulnerability searches based on a wide variety of criteria, including exploits of Web services such as SOAP and of particular Web application development languages including Visual Basic and JavaScript.

ScanDo pauses its automatic assessment when it finds an exception, a trait that demands a high level of interactivity from whomever runs the scan. This interactivity increases with the ability to store, modify, and relaunch (or replay) attacks to completely understand the nature of the vulnerability. The replay function reauthenticates with the application, although it will also replay solely from stored forensic data.

If the included scans and attacks are not sufficient, ScanDo includes a full Visual Basic IDE so that new exploits can be created or completely new applications developed around the scan engine.

Results of scans are stored in an .mdb file and an ODBC-compliant database, making them available to a variety of reporting and management tools. ScanDo’s internal reporting console is quite good, generating an XML file with a GUI front end that makes it easy to design individual reports focused on various aspects of the scan results. Various formats include an executive summary replete with colorful charts and detailed technical reports that provide outside references and suggested remediation for vulnerability (plus complete details on the script that found the vulnerability and its results).

ScanDo won’t eliminate the need for troubleshooting. Web sites designed to thwart spiders will give the software trouble and special error messages must be added to ScanDo’s vocabulary. What’s impressive about ScanDo is how good the interface for making those changes is, as well as the superb presentation of results when the scans are complete.

Sanctum AppScan

In an effort to build security into Web applications throughout their life cycles, Sanctum offers three AppScan products, each aimed at a different development or deployment phase. We looked at AppScan Audit, the “final” product, which is intended to test functional applications for compliance with internal and external security standards. We found that AppScan Audit provides a good assessment of exploits and vulnerabilities that cause the most severe security headaches.

AppScan Audit begins with a user interface that feels much more polished that that of AppShield. Installing, setting up, and managing AppScan Audit were all handled easily through a useful, easy-to-understand GUI.

As with ScanDo, a certain amount of customization was required before AppScan Audit could successfully probe our Web Goat test application. Adding information such as new 404 formats (to deal with Apache Tomcat error messages) was simple and well-described in the documentation. Following the customization, AppScan Audit was given a starting point in the Web site and sent on its way.

AppScan Audit looks for SOAP and XML vulnerabilities along with issues deriving from HTML and application problems. AppScan Audit can support applications using many authentication schemes, from SSL to proxy or NTLM (NT LAN manager) client authentication.

You can use the customization facilities to develop audit procedures for specific business processes, along with record-and-play scripting for transaction sequences and total processes from authentication to log-off. A series of business process audit scans would be a useful tool when validating the security of internal Web application changes or software infrastructure updates prior to full deployment.

Scan results are presented in a variety of report formats, with pages detailing not only the details of the exploit but possible worst-case results, most-affected page pointers, and other design-oriented information. Scan results are also placed into .csv and Crystal Reports files that make the results useful as input to bug tracking systems such as Remedy, Bugtraq, and Mercury Interactive Test Director.

AppScan Audit is part of an integrated approach to Web application security. Although it is capable and easy to use as a stand-alone product, the range of integration features and life-cycle utilities (such as vulnerability delta reporting) make AppScan Audit most valuable as part of a complete suite of security software.