Website attacks may go unnoticed for months as hackers steal confidential information. The financial losses and reputational damage from a potential breach are spurring organisations on to protect their web applications. Here we find out from Ilia Kolochenko, CEO of High-Tech Bridge and Chief Architect of ImmuniWeb, how to keep your website safe in 2015.
TechRadar Pro: What tools are organisations turning to in order to protect their websites?
Ilia Kolochenko: When security breaches fill the news with stories of stolen customer data and website failures, organisations typically turn to automated scanners. And this overreliance on scanners is leaving organisations in a vulnerable position. Unfortunately, there is still a common misconception that fully-automated website vulnerability scanning brings the same results as manual web application penetration testing.
TRP: Why do we still need manual penetration testing?
IK: The need for human skills was recently demonstrated by a major new analysis (reported by Ars Technica) conducted by the universities of KU Leuven (Belgium) and Stony Brook (New York).
The researchers tested websites "protected" with various trust seals provided by security vendors delivering automated vulnerability and malware scanning services – reputable companies including Symantec, McAfee, Trust-Guard, and Qualys.
The research showed "that seal providers perform very poorly when it comes to the detection of vulnerabilities on the websites that they certify." This is a weakness inherent in almost all fully-automated solutions – they can only go so far before their output needs to be analysed by a qualified pentester (penetration tester).
TRP: Tell us how vulnerability scanning works?
IK: Vulnerability scanning can be very cheap or even free, while penetration testing can be considered quite expensive and time-consuming to plan and execute. However, penetration testing brings significant added-value in comparison to all types of malware or vulnerability scanning currently on the web security market.
In fact, today almost anybody can do vulnerability scanning: you just need to download any of a number of vulnerability scanners – some quite excellent – and run them against a website. They will generate an automatic report providing numerous actual and potential vulnerabilities and weaknesses – and probably a number of false positives as well.
False positives are time-consuming – you need to verify every single issue the scanner detects. Much worse are false-negatives – existing vulnerabilities that automated solutions miss, leaving systems vulnerable and giving website administrators a false sense of security. Some automated solutions may assign a medium risk to 403 or 500 error pages returned by the web server (that are not vulnerabilities, just error pages).
Finally, website administrators, under strain from heavy workloads, start ignoring all medium-risk vulnerabilities from daily scanning reports. As a result they miss important information about real vulnerabilities that deserve their attention.
TRP: Which companies should be using vulnerability scanners?
IK: Security scanners are probably a must-have tool for large companies that perform some of security testing internally, relying on in-house security professionals who are capable of verifying and completing the results of an automated scan. Automated vulnerability scanning can also be very useful to keep internal teams up to date about the general state of their web applications.
However, automated solutions and security scanners are not capable of replacing a penetration test. They are not suited for SMBs as well, neither for projects where companies need both rapidity and the highest quality of security testing.
TRP: What are the advantages of manual penetration testing?
IK: True pentesting starts from where a vulnerability scan finishes. A pentester will take the reports from probably several different scans and use his personal skills and experience to weed out the false positives, and identify missed vulnerabilities.
In particular, he is likely to recognise the weaknesses in the business logic, which scanners cannot efficiently detect, and see how otherwise minor technical flaws can be chained together to effect a major breach. A recent example of application logic flaw is Alibaba's website, where a tiny bug exposed the most sensitive information of millions of users. Another recent example is a similar vulnerability in the Delta Airlines website, where URL manipulation allowed access to anyone's boarding pass.