Proactive vulnerability assessments are key to security.
The expression “forewarned is forearmed” rings true today when we consider computer security. Rather than waiting for a would-be attacker to wreak havoc, a growing number of vulnerability assessment tools and services are available. Armed with the information they provide, you can prevent attacks and bolster your defenses.
Vulnerability assessments can focus on different portions of your computing environment. For example, some tools and services offer detailed inspection of your network to ferret out potential weaknesses while advising you how to correct them. Likewise, you will find assessment tools that inspect your Web application environment–we’ll examine some these in a moment. Other solutions focus on databases such as DB2, Oracle, Sybase, and SQL Server as well as e-mail servers.
One reason vulnerability assessment tools are gaining ground and proving useful is the practice of information sharing. As new security threats arrive on the scene, vulnerability databases and vulnerability dictionaries are cataloging the latest problems and making that information available to a variety of assessment tools and services.
One such vulnerability resource is the Common Vulnerability and Exposure (CVE) dictionary, which–as of April 2003–had more than 2,500 entries. The information housed in these entries is made available to a variety of tools and services that you might use to examine your security infrastructure. See the CVE Web site for a list of tools and services that are CVE-compatible.
However, CVE is not the only resource for information on the latest security threats. There are several vulnerability databases available, including ones from CERT and the National Institute of Standards and Technology. When considering vulnerability assessment tools and services, be sure to look for solutions that provide ongoing updates from one or more of these databases so you can keep current on security threats and how to protect yourself against them.
Last month in this column, we looked at the types of vulnerabilities that can be introduced when you implement Web applications. Some of the more common things attackers can use to take advantage of your Web applications are server configuration errors, unpatched software, unused services, unprotected administration tools, non-validated application requests, poorly configured encryption, and issues with access control.
Whether your Web applications are simple or complex, taking the time to perform ongoing vulnerability assessments will keep your applications available and less prone to attack. Of course, assessment tools are not a replacement for a good firewall, antivirus software, and other security measures. Adding assessments merely helps increase the level of security for your organization.
Like other security technologies (such as firewalls), tools and services in the vulnerability assessment category are all over the map in terms of both functionality and price. Let’s examine a few of these tools and services to get an idea of what you’ll find there.
Inspecting the inspectors
Sanctum’s AppAudit does just what its name implies. AppAudit is a service that examines potential Web application vulnerabilities at a high level. A service-based approach to vulnerability assessment is a good choice for small- and medium-size companies that may not have the budget for fee-based tools.
AppAudit uses scripts built in-house at Sanctum to examine a variety of methods that an attacker might use to gain unauthorized access to your Web site and applications.
Beyond examining your site in relation to known vulnerabilities, AppAudit looks for such things as buffer overflows, ways that application parameters can be exploited, and problems with cross-site scripting. Upon completion of the audit, Sanctum supplies a report of the vulnerabilities found, along with recommendations for securing the applications.
Sanctum also offers a tool-based approach to vulnerability assessment testing. A second Sanctum solution, AppScan, is best used in Web application environments that have a testing or quality assurance phase prior to being implemented. AppScan can ferret out possible vulnerabilities at the Web server, application server, and database layers. It is a bit pricey for some budgets, with subscriptions starting at $5,000.
The open-source community is also taking an active role in helping organizations examine Web applications for vulnerabilities. One such project is “cgichk” which looks for Web site vulnerabilities by providing automation for tasks that a system administrator might normally perform.
A more comprehensive open-source solution is the Nessus Security Scanner, which currently can test your network and applications using more than 1,200 different tests. Nessus looks for backdoors, ways to gain remote access (including root permissions), and for the presence of unused services. Given its broad platform support, cost (free), and functionality, Nessus is a good bet for small- and medium-size companies.
N-Stalker’s N-Stealth is another budget-priced comprehensive tool. This Web server-auditing tool can check for more than 20,000 possible vulnerabilities. You can use it to locally or remotely scan a Web server after plugging in the IP address of the server to be tested. N-Stealth can work with vulnerability entries from the Common Vulnerability and Exposure (CVE) dictionary, but it can also scan for things like potential buffer overflows. Like many other tools, N-Stealth also provides reporting following a scan so an organization can take action on the results.
One pricey option
Kavado’s ScanDo is a tad pricey compared to the rest of the market, with prices starting at $15,000. However, ScanDo is one of the most comprehensive solutions on the market today. This solution integrates the CVE dictionary as well as ICAT assessments. Scans can be focused on one or more areas and performed on a scheduled basis and in a way that matches the company security policy.
Aside from assessments, such as buffer overflows and field manipulations, ScanDo is one of the first vulnerability solutions to be able to check for security problems with Web services and the SOAP protocol. If your company is an early-adopter implementing Web services, ScanDo might be a good choice to ensure security in this emerging technology.
SPI Dynamics’ WebInspect also supports Web services vulnerability scanning (though it’s a bit cheaper). This solution goes beyond Web server scanning to include middle-tier technologies, such as IBM’s WebSphere, BEA’s WebLogic, and Microsoft’s .NET. Companies that are using Java or .NET technologies in Web applications will find agent-technology in WebInspect that can ferret out possible problems. WebInspect also provides facilities for exporting of scanning output. Reporting modules are also included with WebInspect.
Finally, there is another open-source project called Whisker. This free tool is operating system-independent and is written in the Perl language. Whisker is ideal for Web environments that use CGI.
As you can see, vulnerability assessment tools differ widely in terms of price and functionality. However, it is not necessary to spend a lot of money before realizing an increase in Web application security. Both Nessus and N-Stalker are good examples of solutions that can fit into many budgets.
They say the best offense is a good defense, and the same idea applies equally well to computer security. Taking proactive steps, such as performing vulnerability assessments, helps to boost your defense against possible threats.