Welcome Guest. | Log In | Register | Membership Benefits

Time To Automate Web Defenses?

Tying vulnerability scanners and Web application firewalls together can help tighten Web security without developer pain -- but trust is still a problem

Oct 25, 2011 | 07:40 PM | 

By Robert Lemos, Contributing Editor
Dark Reading

Attackers looking for a vulnerable website to target typically use one of two approaches: Either they target a vulnerability and use a search engine, such as Google, to find sites that have the flaw, or they target a specific site and scan it for vulnerabilities.

The different attacks can lead to different losses and risks, but both rely on attackers finding a way in, most frequently through a Web application flaw. In the latest Data Breach Investigations Report, for example, Verizon Business found that different classes of attacks on servers comprised the top four causes of data-breach incidents.

Despite the danger and fact that eliminating common Web application flaws is required by compliance regimes such as PCI-DSS, companies are still not patching their Web applications fast enough. Businesses that have the resources can find and close the holes in their custom Web applications, but most do not have enough developers to quickly patch vulnerabilities, says Dan Kuykendall, co-CEO and chief technology officer of NT OBJECTives, a vulnerability discovery firm.

"These companies end up being vulnerable for lengthy periods of time," he says.

In some industrial sectors, the average company takes months to fix Web flaws. Even the best companies typically take weeks to close security holes, according to a recent report from WhiteHat Security, a Web security firm. The four industrial sectors that handled vulnerabilities the quickest -- banking financial services, healthcare, and education -- required two to four weeks to fix flaws. While secure coding principles and vulnerability scanning technologies can help reduce software before production, companies still have to deal with an average of 13 serious Web flaws, the report found. The top vulnerability classes identified by the report included cross-site scripting, information leakage, content spoofing, and cross-site request forgery.

While Web applications firewalls, or WAFs, have been heralded as a fix -- a virtual patch to tide over companies until they actually fix code -- creating rules is not always straightforward and often gets put on the back burner. Automating the task and linking a scanner and a Web application firewall holds the promise of creating rules that are tailored to the actual vulnerabilities in the affected applications.

"The combination of a WAF with a vulnerability scanner is a powerful tool," says Rob Rachwald, director of security strategy for data-protection firm Imperva. "The way it works is that you hammer your application until you find everything that the scanner identifies as a vulnerability and block them."

Imperva, which counts a Web application firewall among its products, believe such appliances should be a no-brainer for any company that has valuable Web services. Like other vulnerability management products, a Web application firewall can buy a company valuable time until its IT teams get a chance to patch.

Earlier in October, NT OBJECTives announced its own rule generator that takes the results of the company's vulnerability scanner and creates "custom-fit" rules. The result is that companies can quickly deploy virtual patches for problems as they are discovered, as opposed to waiting weeks for a fix, says CTO Kuykendall.

Yet deploying rules -- especially automatically generated ones -- on a production server is not always quick. The process requires multiple layers of checks to catch errors, says Vincent Liu, a managing partner with security consulting firm Stach & Liu.'

"I don’t know any organization that willingly accepts automated rules being deployed without thorough manual review," Liu says. "In fact, it’s hard enough to get a manually developed WAF rule deployed."

While virtual patching is all well and good, setting schedules for fixing flaws quickly is still important, he says.

"WAFs are a band aid solution," Liu says. "Code fixes are the way to go, if you can get it done."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Vulnerability Management Reports

report Choosing the Right Vulnerability Scanner for Your Organization
Vulnerability scanners can be used to help detect and fix systemic problems in an organization's security program and monitor the effectiveness of security controls. However, a vulnerability scanner can improve the organization?s security posture only when it is used as part of a vulnerability management program, in which products, processes and people are working together to find, identify, prioritize and mitigate threats. Here are some tips on choosing and implementing vulnerability scanners in your enterprise.

report Using Google to Find Vulnerabilities In Your IT Environment
Attackers are increasingly using a simple method for finding flaws in websites and applications: they Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. Sound scary? It is, but there is good news: You can use these same methods to find flaws before the bad guys do. In this special report, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited.

report Security Pro's Guide to Patch Management
It's no longer sufficient to patch just Windows, Office and IE. With the massive array of applications now residing on enterprise PCs, and the proliferation of mobile and cloud-based applications, your business is far too vulnerable to exploitation unless you have a solid strategy for patch prioritization, deployment and quality assurance. Follow these steps to put your plan in place.

Other reports from the Vulnerability Management Tech Center:




Featured Webcasts
Featured Whitepapers
Featured Reports