[A version of this blog was originally posted on July 16, 2013]
Although accurate automated application security testing has been common practice for many organizations for over 10 years, it remains a very difficult and complex process. There are automation techniques that ensure a scan is as automated as possible, reduces scan times, increases results accuracy and saves you time and money on manual testing.
If you are involved in website security scanning in any way, you know all too well, that it’s difficult to create an effective test environment. When you are evaluating alternative solutions, we always recommend the following:
1. Allow Enough Time
It is difficult to test for accuracy under a compressed timeframe. It takes time to get comfortable with different configuration techniques and compare results. It takes a lot of time to check and re-check reports for accuracy. To read more about how to ensure the most accurate results, check out our blog, “7 Ways to Improve the Accuracy of your Application Security Tests”.
2. Use A Real Application, Not A Public Test App
Use one of your real applications that you know has vulnerabilities. Scanning vendors are very familiar with the few test applications that exist and most make sure their scanners find the vulnerabilities in those test applications.
3. Find A Vendor You Trust
Unfortunately, you will be, in certain instances, forced to rely on the word of the scanning vendor because the way a scanner crawls an application and executes attacks can be a black box. For this reason, you’ll find the best website security scanner for your needs if you spend some time on the phone or in person with vendors to learn about what works and what doesn’t. Usually, this just means find a technical enough person to spend some time with you to explain how it actually works, where it performs well and which type of applications might give it trouble.
When you follow these three simple guidelines, you improve your chances of getting the most automated, accurate and easy to manage application security testing solution for any deployment model combination of software, SaaS and services. To read our top 15 tips for evaluating application security scanners, download this white paper, “Web Application Security Requirements: 15 Requirements and Best Practices for Buyers.”
[Note: This blog has been transferred from Dan Kuykendall’s blog, manvswebapp.com, as part of Rapid7’s acquisition of NT OBJECTives. For more information on the acquisition, click here.]