BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION Reporting Fixing/Remediation ? Are vulnerabilities prioritized in reports? ? Does the WAS guide you in fixing vulnerabilities? Advanced WAS solutions can rank vulnerabilities by severity, based on industry standards such as OWASP, WASC, and CWE. This can help you efficiently determine how and when to address each issue, which is particularly important for complying with mandates that require proof that severe vulnerabilities are being promptly identified and fixed. Best-in-class WAS solutions provide information with each vulnerability to help you understand the underlying cause of potential problems and what you can do to fix them. ? Can the WAS be used to debug apps during development without affecting production versions? Scanning applications during development significantly lowers the risk that vulnerabilities will appear when the app goes into production. Make sure your WAS solution allows different versions of an application to be scanned and managed by different users so that your developers can test without impacting the scanning of your production systems. ? Does the WAS give you a continuous view across scans? To avoid revisiting old issues, look for WAS solutions that track whether each vulnerability found is: new, being worked on, already fixed, or accepted as not worth fixing. In addition, advanced WAS solutions provide “differential reporting” that highlights changes from one scan to another. ? Does the WAS work with Web App Firewalls (WAF) to protect your apps with “virtual patches”? The point of finding vulnerabilities is to protect against them. But, development resources aren’t always available immediately and rolling changes into production can take days or weeks. You may even find issues in code that you don’t control. Fortunately, security technologies such as Web Application Firewalls (WAF) can be used to shield your web apps against malicious input and reduce the risk of an attacker breaking in. Modern WAS solutions can notify application firewalls when vulnerabilities are found. This lets firewall administrators – or the firewall itself – know to create “virtual patches” for the app to block attempts to exploit the newly-found vulnerabilities. Look for next-generation WAS and web application firewall solutions that can work together to automatically detect and protect against suspicious usage. ? Can you report on multiple applications at once? While all WAS products allow you to examine the results of individual scans, look for solutions that can report across many or all of your apps at once so that you can understand your overall security automatically. ? Can reports be customized to multiple audiences? To properly fit with your organization’s way of operating, look for modern WAS solutions that allow reports to be extensively customized to different audiences and needs – for example, providing scorecards to executives and details to IT teams. ? Can you mark vulnerabilities as accepted? Some vulnerabilities are more risky to fix than to leave alone. Look for WAS solutions that let you accept specific vulnerabilities and not flag them as open issues on reports. Administration ? Can data from penetration testing be reported ? Is system maintenance required for the WAS, such as alongside automated scan results? Sometimes, it can be useful to dive deeply into particular application vulnerabilities using interactive penetration testing tools. The most common “pentesting” software, Burp Suite, is often used to see what information could be compromised. Newer, automated WAS solutions work with penetration testing tools to capture and store results that are obtained manually. This allows vulnerability information from all sources to be organized, maintained, and reported on together for a consolidated view of application security. COPYRIGHT © 2013, QUALYS, INC. patching software or doing backups? On-premise WAS solutions are like other software products: they often require never-ending administration to keep them up-to-date and supplied with enough CPU, memory, disk, and network resources. Cloud solutions eliminate this burden, allowing you to focus your time and energy on using your WAS solution instead of caring for it. 3 MAY 16, 2013 BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION ? Could I save money by using free, open-source WAS Costs software instead? Open-source packages eliminate the software usage costs associated with on-premise WAS solutions, but still leave you with other expenses: hardware, customization, IT, training, and support. At some point, you’ll likely need new capabilities. You’ll either have to pay outside developers to provide the features you need or increase your internal staff. ? What costs are required for the WAS? This is an important difference between on-premise and Cloud solutions: Costs of the Solution Upfront hardware (servers, storage, infrastructure) Software usage Distributed scanner appliances for internal networks Maintenance Support Deployment professional services Database admin (including backup) Expansion hardware (as needs grow) Expansion deployment services Integration with other security systems ? ? OnPremise Software Cloud Service $ $ not offered $ $ $ $ $ $ Custom services Support $ ? What type of support comes with the WAS solution? $ Web application issues can appear at any time, day or night – and often require immediate response. Look for WAS solutions that offer 24x7x365 support (telephone, email and online documentation) backed by a contractual service-level agreement (SLA). Many Cloud solution providers include this as part of every subscription. included included optional APIs ? Is training included with support? Look for WAS solutions that offer live and recorded training as well as certification programs. Cloud solution providers often include this in your subscription at no extra cost. On-premise software: Installing WAS products in your network can entail a variety of costs – from hardware to personnel. Capacity planning is crucial. Buy too much and you waste money; buy too little and you may end up replacing hardware or paying for additional deployment services as you grow. Vendor ? Does the vendor have a reputation for quality, accuracy and usability? Web applications are becoming the front door to many organizations’ most valuable information. WAS solutions exist to protect that information – and the business behind it. Ask for references from businesses similar to yours. Cloud service: Most Cloud-based WAS solutions are offered as annual subscriptions that include the latest software, support, and administration of the platform from which the solution is delivered. Incremental services, such as scanners for internal apps, are simply additions to your subscription. As your
Please complete the form to gain access to this content