Network Computingwww.networkcomputing.com

Strategic Security: Web Applications Scanners

Posted by Jordan Wiens on May 10, 2007

Tags: AR,  ATLAS ,  Acunetix,  Cenzic,  Microsoft ASP.net,  N-Stalker,  RIA,  Rich Internet Applications,  SPI Dynamics,  Syhunt Technology,  Watchfire,  WebInspect,  WhiteHat Security,  vulnerabilities,  web application scanners,  AJAX,  Appliances,  Application Security,  Consulting,  Corporate Data Security,  Data Center Access,  Data Networking & Management,  Data Protection,  Database Management Services,  E-Business and Customer Data Security,  Enclosures,  Hotspots,  Infrastructure,  Internet Security,  Java,  Linux,  Management,  Network Security,  Networking,  New Vulnerabilities,  Other,  Remote Access Software,  Scanners,  Security Appliances and Hardware,  Security Information Management,  Security and Privacy,  Servers & Storage,  Smartphones,  Software and Web Development,  Storage Management Software,  Storage Security,  Technology,  User Interface,  Vulnerability Assessment Services,  Vulnerability Assessment and Management,  WLAN Security,  Windows,  Wireless

Channel: Data Protection, Networking & Mgmt, Other, Servers & Storage, Wireless

Web 2.0 encompasses lots of big ideas, but we've found it's the concept of RIAs that keeps many information security pros awake at night. Splitting intelligence between server and client, as is done with Rich Internet Applications, is a fundamental shift ... and a risky one given the sad state of browser security. Moreover, while it affects only a subset of RIAs, the Ajax development model has both momentum and traits that make eliminating vulnerabilities a real challenge.

Web application scanners can help, but implementation is tricky. For this Rolling Review, we decided that instead of simply focusing on boxed Web application scanners, we'd consider the entire decision-making process. What we found are at least four distinct paths to RIA and Ajax security. (For more on what we plan to test, see our Web Application Scanners Rolling Review scenario box.)

Targeting The Rich

So why are RIAs so insecure? Put very simply, in a conventional Web application, the intelligence is in the Web server. Browsers basically act as dumb remote displays. Yes, ActiveX, Java applets and other techniques did (and still do) provide for more "intelligent" data transfer. But RIAs take this to a new level, with browsers hosting interactive applications that directly query servers for data.

Impact Assessment Click to enlarge in another window