What are some good website security scanning solutions?

Question

What are some good web-based website security scanning solutions? I'm not too concerned if they are web-based solutions, or software that can be run locally.

Generally, I'm looking for something we can run to provide to clients some sort of certification that their sites are secure. A plus of some of the web-based solutions would be that they can automate it and provide a 'seal' proving the security check is up to date. An example of one I have seen is the GoDaddy Website Protection Site Scanner

Answer 1

Unfortunately there are no automated scanners to detect all the types of vulnerabilities in modern web applications (I often hear less than 50%).

Relying only on automated solutions is fraught with shortcomings. Automated scanners can expose the easy stuff, but you need human intelligence to explore and reveal additional vulnerabilities.

With that said, you can refer to this question (and answers) to view a list of popular automated web application vulnerability assessment tools.

Answer 2

Check out the Web Application Security Scanner List from The Web Application Security Consortium (WASC). Note, I'm one of the authors of Watcher which is a free and open source passive vulnerability scanner on this list. This list also includes the Software as a Service scanning solutions.

Answer 3

Perhaps it helps to talk about a real world analog.

Say your customer has a brick and mortar store. How do you verify it is secure?

First you must understand the threat model. Is it a lemonade stand, a convenience store, or a jewelry store? They all require very different levels of security.

Then you must implement the controls required for that type of property. For a lemonade stand, a simple latching fishing box cash register is probably sufficient.

Finally, you must periodically monitor that the controls are working. Bank safes are rated in expected time to crack. There is no perfect security, and some sort of monitoring is almost always part of physical security. In low security environments this usually just happens by the staff being present at least periodically.

Likewise, there is no one size fits all answer in application security, no matter what vendor or consultant tells you otherwise. Perhaps asking a more specific question including details like: Are these sites handling payments? Are there regulatory requirements? If you're handling credit card data, the answer is probably yes. Are there logins? What personally identifiable data is being protected? etc...

Answer 4

Going a bit off-topic from IT Security...a 'certification' is a very dangerous thing from a liability perspective.I would advise a good read of the small print on any 'certification' service - if they are offering something which will stand up when needed (ie if the website gets hacked you can claim or pass the blame) I would be very astonished.

What is much easier for a vendor to offer is a declaration of how appropriate the security is at a point in time, so that is what usually happens.

In a previous organisation, I would expect to charge 5-10 times as much if I was to give anything like a certification, as my risk and liability issues were significant.

How valuable is certification to you and your clients? Could you/they accept a report which advises on the website's security as compared with peers?

Answer 5

You might want to look at this google list. It shows a ton of the main scanners, but most automated scanners fail to test every instance of exploits. Real human testing is best.

Answer 6

There are two types of web-based, website security scanners that I am currently aware of:

• Ones that look for website and web application security defects
• Ones that look for malware hosted on your website

Qualys provides services for both that are fairly standardized, cheap (for what you get), and run-of-the-mill. None of their scanning is very advanced and will not target your website or web application like a real hacker would. No scanner is capable of simulating a real hacker. There are a few bots such as Aprox that simulated an automated SQL injection attack, but this is only one tool in the toolchain of a modern adversary.

There are some free services, but they also lack luster:

• Qualys SSL Labs (only scans for SSL/TLS security issues)
• ZeroDayScan (only scans for some website and web application security defects)
• Unmask Parasites (only scans for malware present on your website)

If the web application you are trying to test, assess, or audit for web application vulnerabilities has a real-world risk classification (i.e. it is under attack, or has been under attack in the past, or there is reason to believe that it will be attacked in the future) or data classification (i.e. it services data, or processes/stores/transmits data that is sensitive in nature) then it is in your best interest to contact an Application Security Consulting company. You should prefer working with partners that you have a good referral for and that you have had success with working in the past. It is also good to establish business partners that cater to your specific industry vertical or situation. Most of the good ones are small, security boutiques with 5-15 employees/contractors, but if your company is large enough, you might want to choose a larger firm to co-ordinate the work with the smaller firms.

If you are under attack and require help with your incident management, I suggest similar boutiques that specialize in incident response and malware research. You can find more information about what is offered from industry analysts such as Gartner, Forrester Research, etc -- but there are also smaller security boutiques that specialize in industry analysis that are certainly worth checking out.

Answer 7

I just ran across this blog post that provides a very detailed comparison of both commercial and open-source web application scanners.