Web application scanners in this Rolling Review must not only find conventional vulnerabilities, like XSS and SQL injection attacks, but also handle Ajax apps, in which part of the app is running locally in the browser.
Web application scanners should be just one element in a comprehensive, layered program--educating developers and integrating security reviews into the development lifecycle are just as crucial. Problem is, complex Ajax apps represent a new twist for these products, and we don't recommend purchasing a scanner that isn't able to handle Web 2.0 development environments.
ARC had some trouble with our Ajax app, but once we did a manual traversal it was able to work around the problem and evaluate the application. The ARC Web interface let us launch quick and easy scans without worrying about details, while the standalone Hailstorm scanner can dig under the covers where needed.br>
Cenzic's Hailstorm Enterprise Application Risk Controller isn't what we'd call eye candy. Fortunately, this Rolling Review isn't a beauty contest-Ajax apps pose potentially ugly security risks, and we wanted scanners that go beyond finding flaws in conventional Web applications.
Why are Ajax apps so insecure? From an architectural standpoint, an Ajax application might look better and seem faster, but it adds much additional complexity compared with a conventional Web app. While the larger layers of the OS along with the Web server used to be the risk components, their security has been strengthened by decades of scrutiny. Even browsers, under heavy attack recently, have seen a number of security improvements. But programming languages are languishing--where a core team of skilled developers is behind an OS or server, there are orders of magnitude more developers each doing their own applications, often with little understanding of current threats and using frameworks that are only just now beginning to take security seriously.
The answer? Longer term, develop programming language frameworks that simplify the task of coordinating code on both the client and the server, and include out-of-the-box protection for common attacks like SQL injection and XSS. Microsoft's ASP.Net Ajax framework is a good example of one toolkit that is making progress in that area.