Automated Vulnerability Assessments are integral to a systematic and proactive approach to web security that reduces the risk associated with application level attacks (e.g. Cross-Site Scripting, SQL Injection) and ensuring compliance with relevant standards, laws & regulations.
Key activities include:
- Leveraging an open-source or commercial application vulnerability assessment tool to discover known application security vulnerabilities; and,
- Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include; root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
The predominant benefits realized by an Application Vulnerability Assessment are:
- Quickly identify configuration errors, default settings, coding errors, and patch management issues in an automated manner and economical fashion;
- Capable of being run on automated, regular basis to provide baseline and ongoing vulnerability management metrics; and
- Can be used to focus Application Penetration Testing activities on those areas of greatest concern.
Because Application Vulnerability Assessments are fully "tool-based" manual review of the findings by someone well versed in web application security is usually necessary to optimally leverage the output.
Application Vulnerability Assessments are best used:
- As a quick and inexpensive means of assessing the risk associated with an application that is in operation but has not recently gone through a broader Application Security Assessment;
- As part of an ongoing vulnerability/configuration management program, especially in support of demonstration ongoing compliance with relevant standards/regulations;
- To assess less critical applications (i.e. applications with a low risk profile) where the risk does not justify hands-on testing; and
- As an information gathering mechanism to focus penetration testing or code reviews.