Third installment of our Ajax Rolling Review shows not all scanners are created equal
A FEW BRIGHT SPOTS
There were a few brief, shining moments where this product stood out, or at least broke even. As previously mentioned, it sports a large internal database of attack signatures for stock applications and would excel when primarily used to scan Web servers for known vulnerabilities. The reporting interface is flexible enough, and reports are attractive, though we would like to see XML output for further processing.
The product's lack of scanning flexibility is partially offset by a custom signature-writing language that will appeal to power users. In addition, an included log-analyzer utility takes advantage of that large internal database, analyzing Web server logs to detect a variety of malicious attacks. It can even be used to go back in time and find attacks that occurred before the application was scanned.
Of course, it can't distinguish between successful and unsuccessful assaults, so that function may or may not be useful, depending on how commonly the application is attacked.
Sadly, however, like the rest of the application, this function suffers from implementation flaws. When we scanned a site and then immediately fed the resulting log into the log analyzer, it brought the analyzer to its knees. Extremely long URLs, part of the standard full penetration-test scan on one of the applications tested, caused a huge increase in total processing time. Not only that, but even after all that work on a log chock-full of attacks, only 121 requests out of more than 30,000 log entries were flagged as suspicious. This is especially odd considering the only traffic in the log came from the scanner.
Of course, the fact that only six detections of XSS (cross-site-scripting) attempts were picked up might explain why the scanner failed to identify a live XSS in the application. To be fair, almost 500 of the requests were HTTP post requests, so it's impossible to know what attacks might have been sent in those. Still, given the size of this particular application and the number of places to inject data, even if all 500 were XSS checks, the total number of checks was still not nearly enough to properly test the application for even standard XSS variants, let alone more complicated encodings and breakout techniques.
Don't get us wrong--N-Stalker's idea has potential. If the log analyzer were integrated into the rest of the application and able to learn from the server profiling that the scanner already is doing, the data it produces could be potentially much more accurate and useful.
Also, it's inexpensive--$2,899 plus 20% maintenance per year. At that price, if you need log-scanner or infrastructure scanning using a large database of static vulnerabilities, and the bugs and quirks can be worked out of the system, this product might be a nice complement to another scanner better suited to finding unknown vulnerabilities.
As it is though, despite being called the Enterprise Edition, N-Stalker has its work cut out for it before we can recommend this scanner for enterprise use.
N-Stalker's Web Application Security Scanner 2006 Enterprise Edition. An eight-IP version of N-Stalker Enterprise Edition is priced at $2,899 plus 20% maintenance per year. www.nstalker.com
About This Rolling Review
Ajax-capable application scanners are being tested at our Real-World Labs at the University of Florida. We're assessing general reliability; advanced features; ease of use for nonsecurity personnel; ability to map and scan Ajax functionality; prevalence of false-positives, as well as ease in manual adjustments or product updates to address them; prevalence of false-negatives; and price. Software-as-a-service offerings also will be evaluated, though not on ease of use and advanced features.
IBM's (formerly Watchfire's) AppScan
SPI Dynamics WebInspect, Cenzic Hailstorm
Other Vendors Invited
Acunetix, Syhunt Technology, WhiteHat Security. Contact the author at firstname.lastname@example.org for consideration.
IT's Reputation: What the Data SaysInformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.