Web Security - Scanners, Firewalls and the SDLC

padlocks.jpg There is no magic bullet for website security. If you’ve got a strategically important web product then you have to take a strategic approach to it’s security. You’ll find a lot of online resources that discuss how to do this. The OWASP site remains the most comprehensive and best.

As soon as a website is in production being used by customers, it’s also immediately subject to the myriad of online risks. The challenge is to keep abreast of what vulnerabilities you’re exposed to and how much risk is you’d be exposed to if they were to be exploited.

I’ve talked at length about making use of vulnerability scanning tools for this task, and their limitations. Just recently I’ve had three different products put through their paces: HP WebInspect (formerly SPIDynamics), NGS Typhon, and the Acunetix WebScanner.

I’m not going to write up a review – each of them has strengths, each of them has limitations. I was pretty shocked by the price of WebInspect (nearly £20k for a single license) while the Acunetix product comes in at less than a quarter of the price for doing the same job (and giving the same results but without the flashy reporting). Typhon’s pricing is somewhere inbetween which surprised me because I remember purchasing a copy a few short years ago for half the price of what NGS are selling it for now.

Of course, there are always alternative approaches to mitigating risk to your products once they are in production. Application firewalls are one such approach. This blog here discusses some of reasons why it can be a good one. Of course, if you use an application firewall as well as regular vulnerability scanning then you’ll be mitigating a greater degree of risk.

My preference is for security to be built into the development lifecycle – Michael Howard’s blog is one of the best (apart from this one, of course) discussing this subject.

One thing I’m going to come back to though is to make sure you also test those third party components and applications that form part of your own – especially content management systems and shopping baskets applications. Those could well be the weak link.