|
|
|
|
IT MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS AND CONSULTING
Executive Summary
The need for securing applications has never been greater. Security researchers see application vulner-
abilities as one of today’s most significant areas of security risk to enterprise interests and sensitive
information—and attackers increasingly recognize this exposure as well. Vulnerable applications
have been targeted not only to gain access to the information they manage, but to further propagate
and amplify attacks when they are exploited to host so-called “drive by” threats that target users of
otherwise legitimate—and sometimes well-recognized—Websites.
The challenge is that these applications are often developed and maintained by an enterprise’s own
development and management teams. This differs from so-called “commercial off-the-shelf ” or COTS
applications, which are typically maintained by a third-party software vendor that has a vested interest
in maintaining their security. The security of an enterprise’s own applications falls on the enterprise
itself—which means that the enterprise must take the lead in maintaining vigilance over this increasingly
exposed avenue of exploit. This has led businesses to make an increasing investment in application
security tools—but which ones deliver the needed set of capabilities for any one unique organization?
ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) coverage of Web application security
products begins in the same place that most companies begin their application security capabilities,
in Website Vulnerability Assessment. Website Vulnerability Assessment products are also commonly
called Black Box or Dynamic application vulnerability assessments products. However, for the purpose
of this report they will simply be referred to as Website Vulnerability Assessment (WVA) products.
WVAs are so called because they require no knowledge of application internals or the underlying code
base, but rather perform their analysis on the basis of the application’s observable real-time behavior.
This is an assessment run from an attacker’s view. In other words, the assessment is run from a user’s
perspective once an application is either deployed in a production environment, or has progressed far
enough in the Software Development Lifecycle (SDLC) to be considered production-ready. These
assessments are particularly useful because they allow companies to gain a better understanding of how
their applications look to an attacker.
Unfortunately, these types of assessments can be fairly difficult. This is primarily due to the dynamic
nature of the applications being assessed. WVAs typically work with highly volatile, constantly evolving
environments. Not only are the applications themselves dynamic, the relationships the applications
share with users, databases, infrastructure, systems, and other applications are also all subject to change.
This means that a Website vulnerability assessor must be aware of a large array of attack methodologies
as well as plausible vulnerabilities.
Furthermore, Web applications have proliferated in enterprise environments at an alarming rate. It
is not uncommon for Web applications to serve as both the backbone for internal processes and the
interactive public face of an enterprise. Indeed, Web applications have become a widely available,
critical aspect of nearly every enterprise in the world today. Of course this does not simplify the task
for assessors or security professionals.
Further complicating matters is the fact that it is impossible, even for the most seasoned assessors, to
create a scalable process to assess enterprise Web applications without the assistance of an automated
tool. It is therefore imperative that enterprises integrate Web application scanning technology that
allows them to create repeatable processes to understand how attackers see their Web applications.
However, with so many solutions for WVA on the market, the question arises: which tool will fit an
organization best?
1
EMA Radar Report: Website Vulnerability Assessment Q4 2009
©2009 Enterprise Management Associates, Inc. All Rights Reserved.
IT MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS AND CONSULTING
This EMA report seeks to answer these questions by exploring the realm of application security and
WVA products. The report then defines leaders in the WVA product market and takes a deep dive into
the specific capabilities and values of each of the market players.
The Website Vulnerabilty Assessment Landscape
Unsophisticated defense, easily exploitable vulnerabilities, definable demographics and lucrative payoffs
characterize the attacker’s perspective of Web application security. Unfortunately, this means that the
defender’s perspective is bleak at best, with issues such as deficiencies in typical security countermea-
sures, a steep learning curve, and excessively difficult-to-remediate vulnerabilities becoming the battle-
grounds where application security is being won and lost. In a larger sense, these factors have made Web
application security one of the key domains in which the fight for IT security is being waged.
Further complicating matters is the continued proliferation of Web application vulnerabilities. It is an
unfortunate reality for IT security professionals that the mass production of Web applications has not
included the processes and procedures necessary to ensure that those applications are secure. This poses
very high risk in light of the fact that Web application security vulnerabilities also tend to be the easiest
to discover, due in large measure to the ease with which an attacker can access a Web application.
Attackers have noted all of these issues and are readily exploiting these weaknesses. Attacks against
applications and their users have become sophisticated and common. For an attacker there are several
advantages for targeting an application. First of all, most security countermeasures are not purposed
or capable of detecting application-related attacks. A malicious hacker can therefore test and exploit
vulnerable applications at will. Second, a single application can serve millions of people, which means
that an attacker can merely attack a single application to exploit millions of others by extension. Finally,
attackers can target specific demographics by attacking sites with particular user bases. For example,
an attacker could target a church in Orange County if they wanted to gain access to computer systems
of well-off American citizens. Orange County happens to be one of the wealthiest counties in the
US and the demographics that visit Orange County churches are typically Orange County residents,
and a church may not always have the resources or capabilities—let alone the awareness—to deal with
the threat as, say, an enterprise directly dependent on Web applications as a primary aspect of their
business. The combination of these three advantages of attacking application security has made Web
applications a prime target for organized criminals and opportunistic attackers.
There is no small correlation between these vulnerabilities and the proliferation of major incidents
in the IT world. Incidents such as major Web applications being hacked and repurposed to serve out
malware dedicated to stealing sensitive and personal data for the financial benefit of attackers has
become an altogether too familiar happening for IT security professionals. In an effort to address these
issues and curb the tide of attacks and vulnerabilities, most security champions within businesses have
begun searching for Web application security solutions. Most often the first stop for these searchers is
at WVA software.
The WVA product landscape is an extremely interesting and volatile arena. The landscape, which only
five years ago was almost totally dominated by professionals seeking to conduct better penetration
tests, has grown in maturity to become a critical aspect of security operations. These operations have
now become significant considerations in executive level decisions on capabilities and budget delega-
tions. The result has been the increased focus and entrance of major IT market players into the realm
of WVA.
2
EMA Radar Report: Website Vulnerability Assessment Q4 2009
©2009 Enterprise Management Associates, Inc. All Rights Reserved.
IT MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS AND CONSULTING
Furthermore, as major IT vendors such as HP, IBM, and McAfee extend their capabilities into the
arena of WVA, smaller players such as Acunetix, Cenzic, WhiteHat, and NTOBJECTives (NTO)
increase their focus and target those disenchanted with the larger players. Of course, these strategies
may only be useful as a short term tactical strategy while HP, IBM, and McAfee continue to integrate
and offer more complete products and services.
All of these market competitors are currently jockeying for the leadership position in the WVA in an
effort to hopefully standardize the method to effectively begin solving Web application security issues.
Of course given the competitive nature of the landscape and the importance of selecting the proper
solution, assessing the various WVA solutions can be an extremely difficult task.
Assessing the Website Vulnerability Assessment Market
EMA tackled this task by breaking down solution characteristics preferred overall and determining
where the major market players currently reside with respect to their specific capabilities. Many IT
security vendors have ventured more recently than others into the realm of Web application security.
In some cases, however, these players have not necessarily matured enough to truly address the issues
faced by IT security professionals today. This made it somewhat difficult for EMA, as those newer
players are often the visionaries in the realm, but would not necessarily be a good buy for users specifi-
cally wishing to address some of the more practical or tactical aspects of Web application security
widely faced today. As a result, the companies that were assessed tend to be closer to the value leaders
area than would normally be seen in a ranking report. Regardless, these market players met the criteria
for inclusion in this report, and are therefore considered.
Conducting a hands-on assessment was also considered in creating this EMA Radar Report. However,
due to the variable, dynamic nature of the environments being assessed in WVAs, EMA felt that a
hands-on assessment could potentially confuse buyers. For example, EMA would not rank a vendors
product as a value leader because they are able to conduct the best assessments of Silverlight based
environments if the potential buyer is Adobe (who makes a competitive product in Flash). Thus, for
the general potential buyer environment a more general focus was taken.
Characteristics of a Preferred Solution
Selecting the proper WVA product can be difficult. In addition to the obvious implications of the overall
power of the solution, one must also consider how that solution will integrate into an environment.
WVA products do not solve the issues of application security, they merely highlight where the issues
lie so that organizations can implement the proper policies and procedures to address the issues. As a
result, Web application security rarely, if ever, works within a silo.
Therefore, those selecting WVA technologies must take into consideration the various aspects of their
dynamic company environment in order to find the most effective solution. Furthermore, potential
customers must also consider the technology implications of their selection. In other words, if an
organization only produces Flash Web applications, they are likely not going to want to purchase a
solution that only tests HTML pages. Due to the fact that most WVA solutions do not advertise which
technologies they evaluate, it becomes more difficult to determine when one might have a technological
alignment. The following are therefore a few of the characteristics considered in evaluating the market:
• Powerful: In selecting a WVA utility it is imperative to consider the overall strength of the
solution. Today the speed with which attackers are evolving their efforts is occurring at an
unprecedented rate. In order to keep up with these evolving attacks, assessors must be able
3
EMA Radar Report: Website Vulnerability Assessment Q4 2009
©2009 Enterprise Management Associates, Inc. All Rights Reserved.
IT MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS AND CONSULTING
to determine what constitutes a vulnerability in their Web applications. This speaks directly to
the power of the product. As used in this sense, “power” means accuracy as well as depth in
vulnerability recognition, across the multiple technologies often integrated with modern Web
applications. By extension, a potential buyer will likely want to purchase a solution that has
a strong Research and Development (R&D) organization, as this is the area where product
strength tends to be born.
• Comprehensive: In order to effectively implement application security processes and procedures,
an organization must be able to comprehensively highlight the issues. Factors considered in
weighing the comprehensive nature of a product include technology coverage and granularity
in managing the solution. In other words, the solution must effectively be capable of assessing
the highest level of issues technically feasible and the users must be able to leverage the issues
in management capabilities.
• Feature Rich: In considering which products were capable of handling the dynamic situations
that each assessment would run into, it is necessary to consider the features that each product
has. Feature rich solutions are inclusive of multiple features that allow users and power users alike
to purpose the products to meet their specific needs. This may or may not include a community
repository of plug-ins and code.
• Integrated: As was mentioned, earlier application security processes almost never work within
silos. As a result, it is imperative that assessment capabilities integrate well with technologies
including those purposed for application defense, quality management, network assessments,
developer tools, and other technologies.
• Flexible: When a solution fails to adapt to the working processes of an organization, it may
not perform as expected, and ultimately may be rejected or shelved. Ineffective or difficult
implementations or deployments can be a death sentence to the usage of such technology. It is
therefore imperative that an organization select a solution with a deployment strategy that fits
their particular organization.
• Automated: The most effective method for conducting a WVA is to perform a full penetration
test against an application. However, this process is not scalable to large enterprises, nor can
most smaller companies afford the high costs of bringing in a third-party consultant to perform
these tests on a regular basis. It is therefore important that a solution can be automated, but still
include some capabilities for more specific or manual testing.
Evaluation Criteria
Defining evaluation criteria was a challenging task. The first question EMA asked was whether to
include system/network level vulnerability management solutions such as nCircle, Rapid7, and Qualys,
who all include a level of WVA capabilities in their product, but have not necessarily reached the level
of maturity that other industry leaders have. In the end, EMA decided that this report should be
focused directly on those market players who primarily or exclusively focus on Web application vulner-
abilities. The inclusion of McAfee Secure is likely to be cited as an exception to this rule, since it is an
additional aspect to the company’s Foundstone portfolio. This product, however, has a specific focus
on WVA, and was therefore included. Furthermore, Secure tests a deeper level of application security
related issues than other system-level Vulnerability Management competitors.
4
EMA Radar Report: Website Vulnerability Assessment Q4 2009
©2009 Enterprise Management Associates, Inc. All Rights Reserved.
IT MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS AND CONSULTING
The next question EMA asked was how many tools should be included. There is a very large market
of WVA products available on the market today, but while many of those products are doing well
(primarily due to the demand for WVA products) a large number of them have failed to catch the
market’s attention. As a result, the major market players were selected based on market share. Other
inclusion and exclusion criteria can be found below.
Inclusion Criteria
• Conducts Web application security assessments without access to the code (unless reverse
engineered or conducted through bytecode analysis).
• Maintains a broad coverage of Web application security-related issues inclusive of but beyond
the Open Web Application Security Project (OWASP) Top 10.
• Solution must perform Web application spidering.
• Vendor organization must maintain a level of research and development into Web application
vulnerabilities and how to assess them.
• Maintains a high level of market presence
• Maintains industry recognized marketing capabilities
• Maintains a large portion of market share
Exclusion Criteria:
• Requires a third-party partnership to deliver black box application scanning.
• Does not comprehensively cover Web application security issues (e.g. limited to OWASP Top 10,
cross-site scripting [XSS], or SQL injection).
• Does not employ a significant Research and Development team.
• Does not maintain a high-level market presence.
• Lacks industry-wide recognizable marketing.
• Lacks the vendor strength to seem competitive in the radar
Notable Exclusion:
n-Stalker, founded in 2000, has a mature and capable product. However, n-Stalker was not reviewed in
this report because the metrics used to score the Vendor Strength component of this analysis were not
deemed competitive with the other vendors reviewed.
5
EMA Radar Report: Website Vulnerability Assessment Q4 2009
©2009 Enterprise Management Associates, Inc. All Rights Reserved.
|
|
|
|