Time To Automate Web Defenses?

Tying vulnerability scanners and Web application firewalls together can help tighten Web security without developer pain -- but trust is still a problem
Attackers looking for a vulnerable website to target typically use one of two approaches: Either they target a vulnerability and use a search engine, such as Google, to find sites that have the flaw, or they target a specific site and scan it for vulnerabilities.

The different attacks can lead to different losses and risks, but both rely on attackers finding a way in, most frequently through a Web application flaw. In the latest Data Breach Investigations Report, for example, Verizon Business found that different classes of attacks on servers comprised the top four causes of data-breach incidents.

Despite the danger and fact that eliminating common Web application flaws is required by compliance regimes such as PCI-DSS, companies are still not patching their Web applications fast enough. Businesses that have the resources can find and close the holes in their custom Web applications, but most do not have enough developers to quickly patch vulnerabilities, says Dan Kuykendall, co-CEO and chief technology officer of NT OBJECTives, a vulnerability discovery firm.

"These companies end up being vulnerable for lengthy periods of time," he says.

In some industrial sectors, the average company takes months to fix Web flaws. Even the best companies typically take weeks to close security holes, according to a recent report from WhiteHat Security, a Web security firm. The four industrial sectors that handled vulnerabilities the quickest -- banking financial services, healthcare, and education -- required two to four weeks to fix flaws. While secure coding principles and vulnerability scanning technologies can help reduce software before production, companies still have to deal with an average of 13 serious Web flaws, the report found. The top vulnerability classes identified by the report included cross-site scripting, information leakage, content spoofing, and cross-site request forgery.

While Web applications firewalls, or WAFs, have been heralded as a fix -- a virtual patch to tide over companies until they actually fix code -- creating rules is not always straightforward and often gets put on the back burner. Automating the task and linking a scanner and a Web application firewall holds the promise of creating rules that are tailored to the actual vulnerabilities in the affected applications.

"The combination of a WAF with a vulnerability scanner is a powerful tool," says Rob Rachwald, director of security strategy for data-protection firm Imperva. "The way it works is that you hammer your application until you find everything that the scanner identifies as a vulnerability and block them."

Imperva, which counts a Web application firewall among its products, believe such appliances should be a no-brainer for any company that has valuable Web services. Like other vulnerability management products, a Web application firewall can buy a company valuable time until its IT teams get a chance to patch.

Earlier in October, NT OBJECTives announced its own rule generator that takes the results of the company's vulnerability scanner and creates "custom-fit" rules. The result is that companies can quickly deploy virtual patches for problems as they are discovered, as opposed to waiting weeks for a fix, says CTO Kuykendall.

Yet deploying rules -- especially automatically generated ones -- on a production server is not always quick. The process requires multiple layers of checks to catch errors, says Vincent Liu, a managing partner with security consulting firm Stach & Liu.'

"I don’t know any organization that willingly accepts automated rules being deployed without thorough manual review," Liu says. "In fact, it’s hard enough to get a manually developed WAF rule deployed."

While virtual patching is all well and good, setting schedules for fixing flaws quickly is still important, he says.

"WAFs are a band aid solution," Liu says. "Code fixes are the way to go, if you can get it done."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.