Comparing Web App Scanners
Updated: Sep 14, 2021
Since our last newsletter, we discovered a new application vulnerability scanner, Cyber Chief, that advertises itself as able to help development teams release code with “zero known vulnerabilities”. Naturally, we couldn’t resist putting such a bold claim to the test. Moreover, as we recently discussed asset management, we decided to discuss the next step of a robust security program, vulnerability management, by analyzing this scanner along with some other popular application vulnerability scanners on the market.
First, nearly all compliance standards (e.g. NIST 800-53 3.16 RA-5 and PCI Requirement 6.1) have requirements for vulnerability management, including scanning on a regular basis. For various reasons, the focus of vulnerability management tends to be on network services, which are fairly standard and have robust scanning tools available, while web applications tend to be overlooked due to their complexity and the number of false positives often discovered in scanning software. Nevertheless, as more and more network services move into internal networks behind firewalls and websites become the de facto tool for accessing internal services, it is more important than ever to ensure that web applications are integrated into a vulnerability management program.
In that regard, we analyzed the effectiveness of four application scanners: Cyber Chief, BurpSuite, OWASP ZAP, and Nessus from Tenable.
Starting with the newest software, Cyber Chief is a cloud based web scanner that aims for simplicity. True to its mission, Cyber Chief doesn’t offer any configurations or settings when it comes to the scan engine. As a user, you simply input your target URL and credentials to the target application, for authenticated scans, and let the engine run. Due to its ease of use, it is ideal for development teams without strong security backgrounds. Moreover, its results exceeded our expectations for a purely automated web application scanner. Nevertheless, the scanner did miss several big issues in the test application we scanned with it and the lack of any insight into how the scanner performs and what checks it analyzes should give security engineers pause.
Ease of Use: A
BurpSuite is a web application scanner designed by PortSwigger. We used BurpSuite Pro, which is designed for security engineers and penetration testers, for this test, but PortSwigger also offers a fully automated Enterprise software that allows mass scanning against applications using the same rule engines as the Pro version. BurpSuite is our tool of choice for application testing so we were very interested to see how it would compare. Fortunately, we were not disappointed. While not nearly as intuitive to new users as Cyber Chief, BurpSuite returned comparable results without any advanced configurations. Moreover, after we made some minor modifications to the scanner to tailor it to the target application, it identified many issues that Cyber Chief missed.
Ease of Use: A-
The Zed Attack Proxy (ZAP) offered by the OWASP community is the only free and open source scanner on this list. It is a fantastic project and an excellent scanning tool for its price. Nevertheless, it is not an intuitive tool to use and always takes us several minutes to reorient ourselves to using it. In addition, its automated scan results without any additional configurations or settings adjustments missed all of the high risk issues that the other tools identified.
Ease of Use: C
Nessus Pro Web Scanner
The Nessus Pro from Tenable is justifiably one of the leading network scanning tools on the market. While it will perform a number of web application tests as part of its network testing, it also has a dedicated web scanning module. However, the module requires a number of configurations to execute at all and, even when properly configured, ultimately returned results that were weaker than the other tools.
Ease of Use: D
Our biggest takeaway from this exercise is that web scanners still return the best results when appropriately configured for the target application by a security engineer (good thing we have some of those!). If there are other scanners you are interested in seeing compared to these, let us know and we will add them to our list!
With all of the discussion recently around Ransomware, the Ransomware Task Force from the Institute for Security & Technology released a comprehensive guide towards combating ransomware. The guide includes recommendations for organizations to both prepare for and respond to ransomware attacks.
Apple patched recent zero day vulnerabilities in their browser WebKit technology that affected any devices running iOS or macOS. Several news reports indicate that these vulnerabilities are actively being exploited so it is recommended to update all Apple devices as soon as possible.
The Pennsylvania state government recently demonstrated the financial cost of bad security, when they terminated a 28.7 million dollar contract with Insight Global after the latter had a data breach. As a wise newsletter once said, “that is a lot of justification for your security budget”.
Following up on the success of the Solarwinds attack at the end of 2020, other threat actors are following the same supply chain attack pattern. Most recently, the Cybersecurity & Infrastructure Security Agency reported a compromise of the Codecov software where a malicious bash uploader script was added to Codecov’s software. This compromise was originally discovered on 4/1/2021, but Codecov just released additional details, including indicators of compromise and IP addresses that were part of the exploit.
This past week, Dell released an advisory with measures and steps that users can take to mitigate the risk of a recent vulnerability found in all Dell hardware that has gone undetected since 2009. The vulnerability allows a malicious user with access to the system to escalate privileges to the root, administrator user.