The Scanning Flow
Launching an automated web application security scan is not enough on its own. Maintaining a secure web application is a broader and more challenging process. Thanks to Acunetix 360’s advanced technologies, discovering issues on a web application and fixing them is easier than ever.
Acunetix 360 will help you with default options and explanations. But you also need to gather some detailed information about your web applications. This article will help you prepare, so that you can set the correct options for your Acunetix 360 scan.
Knowing Your Web Application
Before launching a scan, it's best to conduct a mental inventory. The answers will help you to optimize your Scan Policies.
Do you know the following about your target's technologies:
- Which programming (or scripting) languages were used to develop the target?
- Is the web application based on a framework or a CMS?
- On which operating system does the application run?
- Are there any databases connected to the application?
- Are you aware of all your online collateral, web applications and services?
- The most vulnerable components of a web application could be the login forms and the input fields. Check your targets to determine if there are any web forms or input areas. You will need them for setting form authentication or excluding them from the Scan Scope. Excluding components will be very useful in such cases. Acunetix 360 carries out a large number of attacks which may negatively affect your web application if the parameters are not set properly. For instance, if there is a mail form on your web application, Acunetix 360 will send requests on that form and you may receive many unwanted emails.
For further information, see Before Using Acunetix 360, Application & Service Discovery Service, and Do Acunetix 360 Scans Damage Web Applications?.
Preparing and Configuring Scans
After learning which technologies and other elements exist on the web application, next you will start configuring the scan.
Acunetix 360 is a very user-friendly, automated web application security scanner. In most cases, it is enough to enter the target URL and start scanning. The scanner will automatically fine-tune itself. Even though Acunetix 360 will discover the vulnerabilities successfully, it may make extra and unnecessary security checks, keeping the target host needlessly busy, because the scan is not configured precisely.
The duration of a web application security scan depends on various factors. To keep the duration short, you can optimize a scan by configuring some of the settings. For even more accurate scan results, you should configure the scan further. You can configure the following options:
- Crawling Options
- Scan Scope
- HTTP or Form based Authentication
- Scan Policy
Before scanning your target, the target host has to be ready for the test. Ensure that the target host stays online during the scanning process. To avoid any service breakdowns, you can use the Scan Time Window to set the time for Acunetix 360 to scan the target URL.
For further information, see Overview of Scan Policies and Scan Policy Optimizer.
Scanning Your Web Applications
Think of your web applications as an unsecured back door into your business. Modern web applications let users interact with the host’s network or server. Poor coding and defective hardening policies may negatively affect the web application security. If the web application is not developed with the relevant security standards, it can be manipulated by exploiting vulnerabilities and misconfigurations.
Acunetix 360’s advanced scanning technologies makes it easy to identify SQL Injection, Cross-site Scripting (XSS) and thousands of other vulnerabilities in web applications. Acunetix 360 also can detect out-of-date web application technologies to help you keep your web application up-to-date.
Acunetix 360 can be easily integrated into your SDLC, DevOps and other environments which provide great convenience to keep the web applications secure.
For further information, see What is Acunetix 360? and Integrating Acunetix 360 into Your Existing SDLC.
Reviewing and Comparing Scan Results with Previous Scans
If you have Acunetix 360, you probably have already performed a scan of your web application. Previous scans make you aware of the security development process. You can compare the old and new scan results, and review the newly discovered issues.
- Acunetix 360 allows you to retest the issues found on a previous scan.
- You can choose the security test type for specific vulnerabilities.
- Incremental scans help you save time. Instead of scanning the web application, you can just scan the new pages added since the last scan.
You can integrate an issue tracker with Acunetix 360 to help you manage and fix the identified vulnerabilities faster.
For further information, see Creating a New Scan and Reviewing Scan Results and Imported Vulnerabilities.
Attackers use different methodologies to hack web applications. Every day brings the potential for a new attack. Scheduling and performing periodic security scans are vital. Each scan may discover new vulnerabilities on your web application. If vulnerabilities are detected, you need to fix them as quickly as possible and then re-test them with Acunetix 360. At this point, Acunetix 360 checks whether the issues are properly fixed. They are then marked as resolved. This process needs to be conducted continuously so that the security of your web applications is maintained.
For further information, see Update the Status of an Issue in Acunetix 360.
Retesting Fixed Issues
The main objective of a security scan is to detect issues and fix them. Acunetix 360 lets you retest the issues to check if they are fixed or not. Instead of starting a full scan, you can retest only the fixed issues.
In Acunetix 360, you can retest all issues. Acunetix 360 automatically checks the issue. If it is fixed as intended, the issue will be marked as Fixed. If not, the issue will be assigned back to the Assignee. If you are sure that the issue is a false positive, you can mark it as a False Positive. You can also mark the issue as Accepted Risk if you are aware of its impact.
For further information, see How to Run a Retest in Acunetix 360.
Reporting is the most important step in the web application security scanning process. Acunetix 360 can generate reports based on relevant regulations. If you want your web application to be compliant with ISO 27001, generate an ISO 27001 Compliance Report to check for specific vulnerabilities and apply the correct remedies.
Acunetix 360 also enables you to create custom reports. This means you can change the vulnerability details, classification numbers, actions to take or add the logo of your organization.
For further information, see Built-in Reports and Report Templates.