Scanning of applications

The role of Application Scanning is to detect the potential security vulnerabilities.

Enterprises develop numerous custom applications based on web technologies like Java, .Net, PhP, … They implement third party applications also based on these new technologies. This generates many technical and business risks:

  • IT developers focus on application functionalities, not on Security;
  • Evolving technologies (Web 2.0, Ajax, JSON, …) open potential new breaches if not perfectly deployed;
  • Open architectures (SOA, Cloud, mobile) unlock new communication doors;
  • Business wise critical, and non critical, web applications are targets of hackers to prove their competences and affect a company image.

Applications enabling financial transactions must be PCI compliant (*). Application scanning must therefore verify the compliance of the applications to the PCI requirements.

(*) Payment Card Industry requirements

Web applications may present security vulnerabilities at 2 levels:

  • the source code
  • the production environment

Static analysis (white-box)

In order to eliminate source code vulnerabilities, web applications must be scanned since the beginning and during the whole development process. The sooner the vulnerabilities are detected, the less re-engineering effort is then needed to eliminate them.

 

Dynamic analysis (black-box)

Applications interact with other components such as databases, application servers, web services, and other applications. Dynamic analysis scans the application in its whole production environment to detect direct and indirect vulnerabilities.

 

Static and dynamic analysis are complementary. They cover both technical and functional breaches. Application Scanning can be complemented by an architecture review and a design review of the application.

 

Scanning techniques

Inexya scanning solutions are realized with automated scanners and complemented by manual auditing. The automated scanners challenge the web applications against all known attack techniques and pattern, which would require too much effort if it was done only manually. Manual analysis of the application concentrates on the functional testing not covered by the automated scanners.