Scanning vs Pen Testing

For those intent on having top notch security measures in place, the question shouldn’t really be ‘automatic or manual pen testing?’ but rather ‘how much of each?’ A web application scanner, used to identify security vulnerabilities in your web applications does not replace an experienced penetration tester, rather it’s a valuable tool in their arsenal and an excellent interim measure when you don’t have the pen tester available. The reality is that most small, medium sized or even large companies do not employ a penetration tester full time, even if they have a security officer this person likely covers the full range of security and won’t be a high-level penetration tester. Therefore, should you run, for example, an annual penetration test using a consultant, that leaves 364 days of the year when a new bug might have been discovered and you remain unprotected against attacks.

This is where a web application scanner such as Acunetix comes in. As a tool on its own, it can scan the network and web applications and locate any vulnerabilities, either new or those that might have been missed in the past. As a tool pen testing tool it’s invaluable as it automatically checks for thousands of vulnerabilities, which manually would take many hours to test for. The penetration tester can then fix any vulnerabilities located or test further using manual checks.

The level of testing which can now be done automatically by application scanning tools is impressive; scanners such as Acunetix are becoming increasingly intelligent and intuitive. Some of the capabilities and functions are detailed below, these apply directly to Acunetix, it’s worth bearing in mind that the application scanner used depends on the technology you have in place. We’ve also written an article giving tips for how to choose a web app vulnerability scanner.

Grey Box Testing

A distinction that analysts often fail to make is between black box (dynamic) testing and grey box (interactive) testing. Grey box testing is done using technology which inserts itself into the website code and analyzes code behaviour as it gets executed, resulting in a much higher detection rate. Traditional black box scanning will not see how code behaves when executed and source code analysis will not understand what happens when code gets executed. A grey box testing technology such as Acunetix AcuSensor marries these two technologies and is able to achieve a significantly higher detection of vulnerabilities.

Types of vulnerabilities

Cross Site Scripting and SQL Injection are two of the most common vulnerabilities exploited by hackers and there are many variants of these vulnerabilities. Therefore a good scanner is equipped to identify many different versions of these, automatically locating them and giving details to the user in order for them to be fixed. In addition to this, it should be regularly updated to detect the newest bugs discovered (e.g Heartbleed or Shellshock).

Technologies

In the rapidly evolving world of web development, the number of languages, frameworks etc is constantly increasing and therefore for effective vulnerability scanning you need to have a tool which can crawl and understand the technologies you have in place. Acunetix for example, is the most advanced tool for JavaScript and HTML5 applications. It can also understand SOAP, XML, Single Page Applications, REST, AJAX and JSON. It also has increasing support of frameworks such as JavaServer Faces, Spring and Struts.

CMS Support

One in five websites are now created using the popular WordPress content management system. There are also other well known ones such as Joomla and Drupal. The drawback with using these is that should a hacker manage to penetrate one site, they then have the knowledge to access many others. The wide variety of plugins also offers additional routes of attack. WordPress is notorious for security vulnerabilities, but there are checks which can be made to make sure your WordPress application isn’t as easy to hack. Acunetix is particularly strong for identifying WordPress vulnerabilities, with an entire database of core and plugin vulnerabilities for which it can check.

Rapid Crawling and Low False Positives

With web applications sometimes consisting of hundreds, if not thousands of pages, or with clients wishing to scan multiple applications, speed is an important consideration. A good vulnerability scanner must be able to crawl thousands of pages in as little time as possible. Equally important is that the scan produces as few ‘false positives’ as possible. Each false identification of a vulnerability will waste valuable time to manually investigate. Acunetix has the lowest false positive rate in the industry, with 100% accuracy on Cross Site Scripting vulnerabilities.

Share this post

Leave a Reply

Your email address will not be published.