A tool that scans for vulnerabilities in Web applications seeks to tackle the unique challenges faced by enterprise IT administrators in light of the increasing number of software that runs on the Internet.
Security technologies often don’t respond to enterprise-specific demands, in particular that production systems have a high degree of sensitivity, said Tim Keanini, chief technology officer with nCircle Network Security Inc.
The San Francisco-based security and compliance management technology vendor released WebApp360 to help large enterprises scan Web applications for security vulnerabilities, like cross-site scripting, SQL injection, buffer overflows, denial of service, insecure storage, and flawed policies.
WebApp360 outlines the difference between scoring a security vulnerability and assessing the risk that vulnerability presents to the business, said Keanini. “The risk to the business needs to have more context than just a list of Web vulnerabilities.”
Large enterprises, he said, typically deal with around 200,000 vulnerabilities. “You need to give them something to help them prioritize and say ‘these are the 10 that I can work on in the next four hours that will lower the overall risk.’ That’s what people in production have to care about.”
The software, said Keanini, performs analytics not just on the Web applications themselves, but also on adjacent applications, like the Web server, middleware and database layer.
“There may be vulnerabilities there that would affect the risk level of that particular class of Web vulnerability,” he said.
When dealing with Web applications, he added, it’s important that analytics consider the general class of a vulnerability because specific manifestations can differ between customers.
Another enterprise challenge is that Web vulnerability tools are often not built for this unique environment. The technology undergoes quality assurance that’s narrow in security scope and not befitting the complexity of corporate production systems, said Keanini.
“In production, it may take a different form,” he said, adding that such security scanning technology may be applied to a server farm as opposed to just a solo machine. WebApp360 addresses a “much more horizontal” problem, said Keanini.
IT administrators can run vulnerability reports using WebApp360. Alternatively, they can use a search feature to locate network assets based on keywords. Instead of figuring out how to run a query due to often scarce and unrelated facts, Keanini said the search function can pull up a list of relevant Web servers on which to focus an investigation.
It’s certainly useful for IT administrators to have a score card that indicates the enterprise’s level of vulnerability on a particular day, said Peter Christy, principal analyst with Los Altos, Calif.-based Internet Research Group.
It’s good to be able to set a goal and judge the severity of the problem, said Christy, and ask, “Is this an obscure issue that no one has ever exploited or does it go to the heart of the database. Is it on a system that I care about or on one with relatively low value?”
Given the plethora of software emerging on the Internet, WebApp360 doesn’t work across all Web applications, cautioned Keanini. “The evolution around those standards is taking place faster than security consortiums can classify.”
Christy agreed that the tool won’t cover all Web-based applications in existence, however, to keep in mind that the goal of such security products is to intercept technologies that people actually use. “Is it possible someone has a Web-based application designed with technology or programmed in a way that this test won’t be comprehensive? Of course.”
The software, he added, fills holes that are most relevant to the large enterprise customer.
Actually, WebApp360 is an add-on module to IP360, nCircle’s security risk and compliance management system for corporate network devices and associated applications. Pricing for WebApp360 is per Web Server, not per user.
Keanini said the product isn’t targeted at specific verticals because large enterprises tend to share the same issues around infrastructure complexity.
The addition of WebApp360 to the existing IP360 platform is a recognition by nCircle of the emergence of threats from Web applications and a willingness to combine its understanding of Web technologies to its existing offerings, according to Christy.
nCircle has always focused on safe technologies unlike the early open source vulnerability scanners that often crashed systems, he said. “It’s not a good idea to put testing inside the enterprise that crashes the systems while you were testing them,” he said.