Vulnerability Scanner vs Security Audit

Question

I have a web app, and customers who are concerned about the security of the app. I want to be able to give my potential customers (manufacturing companies with 2k-10k employees) confidence that our app is secure.

One thing I'm considering is subscribing to Qualys security scanning. I'm hoping that the knowledge that we are using a well known service for security scanning would belay some of my customers concerns. I could potentially even show them the Qualys generated reports.

Is Qualys a good solution for this problem? Would IT staff at my customers have likely heard of Qualys? Would I be better off just getting an external security audit by a well known security firm?

Answer 1

It sounds like Qualys is probably your preferred option: ongoing and repeated vulnerability scanning provides a long-term security blanket which will comfort your customers.

That being said, you should understand the difference between vulnerability scanning and a targeted security audit (often "pentest").

Vulnerability scanning will make sure that your infrastructure is, and stays, secure. It will detect when you the web server software you're using suddenly becomes vulnerable because someone released a new attack against it. It will detect if your server starts offering FTP to the world. It will notice if certain known vulnerable configurations of the web server show up. What it won't do is provide any real insight into the security of your application.

That's what a pentest does. The pentester will look at your application with experienced eyes and specialized tools, and try to discover if you made mistakes when you wrote the application that an attacker could capitalize upon. They'll also look at the same sort of "vulnerability scan" things, but the real value-add is to have a human think things through. People can make connections that computers can't, recognize patterns that indicate subtle problems.

So in an ideal world, you'd have your application pentested at the start, and again whenever you make major code changes to it. And you'd also have Qualys (or an equivalent, of course) run regular vulnerability scans to look out for all the simple, straightforward stuff that regularly bites people in the posterior.

If you're just checking a checkbox, though, that's more money and effort than you're looking to spend. Go with the regular vulnerability scanning, you'll get the seal of approval to show people and you'll get helpful defense against the "low hanging fruit" - easy for attackers to find, usually easy to fix.

Answer 2

A lot depends on the data I'd be entrusting you with. I assume it would be worth a lot, and would be worthy of protecting.

I would be looking for you to produce evidence that you've been taking security seriously throughout your product's development, and not just hired someone for a scan after the fact. You should be able to show your company's info security policies, the name of your security officer, offer the results of static code analysis tools, documentation of your secure application development practices, and yes, the results of annual security audits and scanning services.

If security is actually important to you, it will show through in your activities.

Answer 3

Testing is just one part of your security programme, but it is an important part.

There are two main approaches to security testing:

• Automated tools - these are tools, such as Nessus, Qualys, AppScan, and many others. These can be run by an IT analyst who is not a security specialist, or even scheduled to run automatically.

• Manual testing - get a specialist penetration test company to run a test. Because this involves manual effort it is expensive and will usually only be performed occasionally.

It is important to distinguish security of your application and security of your infrastructure.

For infrastructure testing, automated tools are quite adequate; a manual penetration test doesn't add much value. The ability to run automated tools frequently is a major advantage. Most serious commercial operations have an infrastructure testing tool that is managed in-house.

For application testing, automated tools are only part of the picture. There are many vulnerabilities that a manual penetration test can find that an automated tool cannot. Most serious commercial operations have manual testing performed periodically. To go beyond that, you need to have both an automated tool you manage in-house, and some penetration tests.

There are two main approaches to application testing with automated tools:

• DAST - Dynamic application security testing, i.e. scanning a running application
• SAST - Static application security testing, i.e. source code analysis

In general SAST is a better approach as it is more thorough and the results are presented in a form that is more useful for developers (e.g. you have a problem in myfile.java line 163). However, DAST and SAST will detect slightly different sets of issues, and have different tendencies for false positives. As such a growing trend is DAST and SAST integration, which is an attempt to get the both of best worlds.

Answer 4

For server side controls yea Qualys will be enough. However in terms of web application it is not sufficient.

Besides that penetration test is different than vulnerability scanning. During vulnerability scanning, automated tools scans well known vulnerabilities and signature based stuff.

For example, you can run web application scanner and may find XSS vulnerabilities if it is exist. But you will not be able to find logical flaw issues such as privilege escalation etc.

Or on network side, you will not be able to find architectural stuff with Qualys. but will be able to find, missing patch issues, weak ssl stuff, service base vulnerabilities etc.

As a brief for proper check, you should seperate tools in terms of environment. For example, Qualys for server base stuff periodically and Netsparker, Arachni etc for web application side of project. Those are automated controls periodically. Besides that at least one time and with every major code changes there should be proper penetrates test process.

This method will give serious overview about your security.

Hope it helps

Answer 5

Let's first shed some light onto the different assessments available for web applications.

A scan performed with a good professional scanner provides valuable information regarding misconfigurations of the infrastructure (e.g. detect default passwords, test for known vulnerabilities), but not much more. If you go this way, make sure the tester checks for false positives, as scanners are very prone to those.

A vulnerability assessment aims at finding the most vulnerabilities, even with hands-on testing. It's a way more effective assessment than a simple scan, as a real tester is able to find logical flaws and not only "technical" ones. With this kind of test you'll be able to understand how many problems the application has.

Finally, a penetration test is aimed at discovering how much impact the possible vulnerabilities have. While a VA is focused on finding the most vulnerabilities, a PT objective is to exploit some flaws and show the client the real damage that can be done by an experienced attacker.

Since you stated that your application does not contain sensitive data, I'd suggest a vulnerability assessment. While usually more costly than a simple scan, it will provide insight into the mistakes that you might be doing while developing, hence avoiding them in the future.