Testing the security of the corporate applications is a part of every-day life for Ops and DevOps professionals. Larger companies have whole teams dedicated to independent security testing, called Red Teams. These folks use various tools at their disposal to discover the flaws in both applications and infrastructure. These teams often take the same approach as pen testers — external contractors that are hired to penetrate the company defences.
More recently, many companies are supplementing their internal and contractual testing with bug bounty programs where they are extending an invitation for ethical hacking to the entire security community. We have talked about bug bounties in an earlier blog.
Today we want to talk about the tools that are used for these ethical hacking attempts as well as on the on-going basis to verify security posture.
The broad category of these tools is called “scanners” and it covers a wide range of products, from free network scanners like Nessus to desktop tools for forming custom http requests like Burp suite.
Scanners’ strengths and shortcomings
Most scanners are external to both the application and the infrastructure. This means they are language and platform independent and can test many applications regardless of what language or framework is being used. The downside of this approach is the lack of application context and knowledge of attack surface. That means that the tests/attacks use standard payloads, not payloads customized for the applications.
Detection is limited to the vulnerabilities that are previously known and uses regular-expression rules to understand the response. We’ve had more coverage on this topic in our “What’s wrong with DAST” white paper.
Most scanners are limited in their ability to understand complex API data formats (e.g. base64 encoding embedded inside JSON) and dynamic responses common to Single Page Applications (SPA)
Some scanners are limited to what they can test un-authenticated or with a limited rights test accounts in the case of grey-box testing, which frequently leads to overlooking vulnerabilities specific to certain user roles.
How Wallarm Scanner works
The Wallarm set of Application Security Tools attempts to compensate for shortcomings found in most scanners. We combine network asset discovery, typical network-based vulnerability scanning, monitoring app responses (passive scanning) fuzzing approach for generating payloads and knowledge of the application-specific context and logic to provide functionality which is really in its own category.
It uses “hacker intelligence” in the malicious traffic (attacks) to learn from the aggressive internet environment and relies on Wallarm Cloud knowledge of the application logic and context to analyze the application responses. The Wallarm Scanner is an integral component of the all-in-one Wallarm security platform providing inputs to Wallarm reinforcement learning and closing the feedback loop with Wallarm Application Security Protection functionality.
The new “Understanding Wallarm Scanner” white paper we have recently published provides a closer look at the Wallarm scanner architecture and interaction between the different modules.
It’s worth a read!