Paid Advertising
web application security lab

Web Application Security Poll

Jeremiah released a really interesting survey he did today on some broad web application security questions he asked of some security professionals. Now I feel bad that I didn’t answer it myself when he sent it to me, but I would have skewed the results in almost the same way everyone else did so maybe it’s not that bad. From a security perspective it’s really interesting seeing what other professionals think about certain things. Maybe the sample size is slightly too small to be exact, but really there aren’t that many true web application security professionals out there, so maybe this IS the statistic.

The most interesting statistic that I found was the percentage of people who use web application security scanners for their penetration testing. 71% of the users polled said “never”. Ouch! That smacks of some serious issues with either functionality or perception of the scanners out there. What are the reasons why though? Why is it so difficult to test for web application security issues from an automation perspective?

The obvious answer is because there are just so many tests to be performed and there isn’t enough intelligence built into the scanners that even when they happen accross an issue they can’t reasonably tell what the issue is or what it means. They can only tell you which bucket it falls into and move on. That’s just not enough. Maybe it tells you where to start looking for some of the obvious low hanging fruit, but does it make a serious enough dent in over all vulnerability assessment to consider yourself secure? Well it stands to reason that the experts would say no based on the results Jeremiah came back with today. Interesting.

5 Responses to “Web Application Security Poll”

  1. RSnake Says:

    After talking with Jeremiah about this the most common answer given for why people don’t use web application scanners is that scanners do find vulnerabilities - thats not the problem. The problem is setting the scanner up to function, work with the tool, then peel out the relevant results. Experts don’t care about comprehensiveness with the tool, but they do care to know what it did and didn’t do so they can complete the rest. So the real answer is the tools don’t save them time, its creates more.

    Again, ouch! That’s actually a worse reason than the one I gave.

  2. Jimbo Joe Says:

    I assess sites for a living and I just don’t have time to set up the scanners.

    But more importantly, I find that I perform my assessments intuitively, each request and response guides what I do next, picking up bits of info here and there, like from Google, that allow me to really crack a site.

    Your VMWare post is a good example of that process.

  3. RSnake Says:

    That’s a very good point. I was talking a little more about this with some folks about CSRF in particular and it occured to me that there is no way that a scanner can tell if something is CSRF-able or not, but even if it could how can you tell if it’s of value or not? So what if I can turn your default langauage to Gaelic on Google? It’s an annoyance but definitely not a real security issue.

  4. apnovi Says:

    I think quite a few times it can come down to cost i do work for a
    few charity`s and very oftern they find the money to support these kind of applications. For example the pricing for Acunetix for 1 website for 1 year is $1995. When a company hosts multiple websites thats a pricy bussiness. Also when it comes down to free Open Source applications it`s the time and skill need to program such scanners that puts most people off.

  5. RSnake Says:

    Yah, if you are an individual contractor working out of your home office that price can be daunting if it’s not covered by the contract itself. And even so for lots of small companies they wouldn’t be willing to pay $2k for the tool to do an audit.

    These are all interesting reasons. Personally, I don’t use them for that reason alone. I don’t work in security so if it’s not free or nearly free I won’t touch it. But even if I could spend $2k on a really good tool I’m still not convinced I would get much more out of it than doing the audits by hand.