If security is not an integral part of your company’s development process for custom Web-based applications, your Web interfaces may be vulnerable. Ideally, security concerns should be addressed during development, but with limited internal resources, it’s difficult to cover all the bases and account for every single possible exploit.
SecureState, a Cleveland-based security consulting firm, works with companies to ensure that their interfaces are secure by inspecting and testing applications before or after deployment. The tool that SecureState prefers to use to assess vulnerabilities is SPI Dynamics’ WebInspect, which automates many testing tasks.
If you’re looking for a tool to audit the security of your Web applications, WebInspect offers some useful features that can simplify the job.
The benefits of auditing with WebInspect
WebInspect automates many tests SecureState consultants would otherwise need to perform manually during their reviews, which focus primarily on compliance with online banking security regulations. For example, WebInspect checks for missing access controls on well-known files, eliminating the need to manually search for and test those files.
“It will do about 70 percent of our testing for us,” said Ken Stasiak, SecureState’s vice president of professional services. “And for the other 30 percent, we can use the tool as an aid to craft custom attacks and conduct further testing.”
Ease of use and customizability are other strengths of the tool, said Stasiak, particularly since auditors can supplement the tests WebInspect runs with those they’ve developed themselves. SecureState consultants can also add scripts to the WebInspect database, creating a tool that performs even more comprehensive security assessments by adding attacks they’ve seen to WebInspect’s standard set of tests.
“Being able to add our manual tests to the database,” said Stasiak, “allows us to enhance our whole Web application assessment process.”
WebInspect is a particularly useful tool in SecureState’s “black box” tests, in which the firm’s auditors don’t have access to the application source. Since the tool performs the audit from an outside perspective without access to the Web app code or contact with the development team, it assumes the role of a hacker. The exploits included in WebInspect, Stasiak said, can be used to launch a Web server attack that can eventually lead to accessing the applications.
“Vulnerabilities associated with IIS or Apache, for example,” said Stasiak, “can lead us to get application data or directories within the application.”
WebInspect in application
SecureState focuses on Web app security assessments for companies in the financial services industry.
“We look at things from an application inside out perspective to see how the online banking apps have been coded and determine where the vulnerabilities lie,” said Stasiak.
The firm has worked primarily with larger organizations that have dedicated development staffs assigned to specific application projects. Because of this arrangement, SecureState has been able to work with developers to help them write more secure code, Stasiak said.
SecureState categorizes its assessments as either “black box” or “white box” audits. In a black box audit, for which WebInspect is so valuable, SecureState comes in from the outside to test for vulnerabilities and launch attacks to evaluate how secure the applications are. A white box audit is performed in cooperation with developers who make the application code available to SecureState representatives for evaluation.
“We work with developers right after the QA process to do a security review and find the errors before it goes into production,” said SecureState Application Security Architect Matt Petteys.
Petteys said most coding security issues occur because of inexperience with Web development or just simple oversights. Although developers may understand the tools and how to code the applications, said Petteys, they may be unfamiliar with key security risks.
“Developers will put security on the front end of the application,” Petteys said, “but they’ll sometimes forget about it on subsequent pages.”
Missing access controls are one of the most common errors Petteys finds. Other common problems he encounters, he said, are a lack of data validation and missing or flawed error handling. Error messages displayed to users often contain sensitive information that a hacker might exploit to launch an attack. Petteys said such errors should be captured and logged, and user-friendly messages shouldn’t reveal more information than the user needs.
“We’ve actually seen an error from a database being propagated and shown to the user, providing information that could lead to access to more data,” Petteys said.
Error messages that aren’t captured and filtered for the user can reveal how the site is laid out, Stasiak said, allowing unscrupulous users to access different locations and files.
According to Stasiak and Petteys, WebInspect reveals details auditors can use to test what weaknesses can be exploited. WebInspect will query against the site, for example, and reveal data exchanged between the client and the server, including user account numbers.
Stasiak said that with the information WebInspect provides, his team can change parameters and resubmit queries to see if those common hacker tricks will give them access to other users’ data.
An invaluable tool
Because it automates many of the auditing tasks, WebInspect can greatly expedite the process of conducting a security assessment. Stasiak said most of the financial institutions in the Cleveland area have outsourced their Web application security to SecureState, and it typically conducts about three or four reviews per month. It takes one or two weeks to perform a typical Web app review, he added.
Stasiak said SecureState has evaluated a number of security auditing tools over the years and has found that the automation and customizability of WebInspect have made it SecureState’s tool of choice for assessing Web application security.