Checking for signs of weakness

The two web application firewalls from KaVaDo and Sanctum come with companion application vulnerability scan products to enhance the total security provided for the application. While no scan software can provide the depth of vulnerability discovery and analysis that would come from a professional penetration test, we found that each of the scanners we reviewed brought useful information into the security planning process.

KaVaDo ScanDo

KaVaDo’s ScanDo is a rarity among network security software: It’s easy to use, it works well, and it looks good. The built-in options for scanning are comprehensive, enabling vulnerability searches based on a wide variety of criteria, including exploits of Web services such as SOAP and of particular Web application development languages including Visual Basic and JavaScript.

ScanDo pauses its automatic assessment when it finds an exception, a trait that demands a high level of interactivity from whomever runs the scan. This interactivity increases with the ability to store, modify, and relaunch (or replay) attacks to completely understand the nature of the vulnerability. The replay function reauthenticates with the application, although it will also replay solely from stored forensic data.

If the included scans and attacks are not sufficient, ScanDo includes a full Visual Basic IDE so that new exploits can be created or completely new applications developed around the scan engine.

Results of scans are stored in an .mdb file and an ODBC-compliant database, making them available to a variety of reporting and management tools. ScanDo’s internal reporting console is quite good, generating an XML file with a GUI front end that makes it easy to design individual reports focused on various aspects of the scan results. Various formats include an executive summary replete with colorful charts and detailed technical reports that provide outside references and suggested remediation for vulnerability (plus complete details on the script that found the vulnerability and its results).

ScanDo won’t eliminate the need for troubleshooting. Web sites designed to thwart spiders will give the software trouble and special error messages must be added to ScanDo’s vocabulary. What’s impressive about ScanDo is how good the interface for making those changes is, as well as the superb presentation of results when the scans are complete.

Sanctum AppScan

In an effort to build security into Web applications throughout their life cycles, Sanctum offers three AppScan products, each aimed at a different development or deployment phase. We looked at AppScan Audit, the “final” product, which is intended to test functional applications for compliance with internal and external security standards. We found that AppScan Audit provides a good assessment of exploits and vulnerabilities that cause the most severe security headaches.

AppScan Audit begins with a user interface that feels much more polished that that of AppShield. Installing, setting up, and managing AppScan Audit were all handled easily through a useful, easy-to-understand GUI.

As with ScanDo, a certain amount of customization was required before AppScan Audit could successfully probe our Web Goat test application. Adding information such as new 404 formats (to deal with Apache Tomcat error messages) was simple and well-described in the documentation. Following the customization, AppScan Audit was given a starting point in the Web site and sent on its way.