Chapter 13: Web Application Security Scanners

Overview

This chapter is aimed at IT operations staff and managers for medium-to-large enterprises who need to automate the Hacking Exposed Web Applications assessment methodology so that it is scaleable, consistent, and delivers acceptable return on investment (ROI). It is based on the authors' collective experience as security managers and consultants for large enterprises, as well as a review of the available web app security scanning tools commissioned specifically for this edition.

Our focus in this chapter is on black-box application assessment of live web applications, or more specifically, web application vulnerability scanning tools targeted at production-deployed applications. Thus, we won't be considering some other large-scale security automation technologies like preventative tools (such as web application firewalls) or monitoring technologies (like Intrusion Detection Systems, IDS). We also won't cover software development lifecycle (SDLC)-focused technologies like software quality assurance (QA) testing suites, or automated source code review tools (see Chapter 12 for those).

The chapter is organized around the IT mantra of "people, process, and technology." We'll spend the bulk of the chapter reviewing several off-the-shelf web application security scanners, and will finish with a brief examination of the role of process and people in a successful web app security scanner deployment.