My previous post on the value of linking web application vulnerability scanning tools with web application firewalls generated a lot of discussion. Take a look through the post and the lengthy comment string.
Let me state up front that I firmly believe we should change our development processes (and developer culture) to produce more secure code. This applies to outsourced development as well. This should be our first priority. A tool cannot solve what fundamentally is a process problem. A tool can help us to scale the process, make testing more efficient and to make it repeatable, but we must address the process problem first.
Web application security testing tools (a form of dynamic application security testing [DAST] tools) test a web-enabled application in its assembled and running state looking for conditions that would be indicative of a security vulnerability. For example, by trying to inject SQL into user-input fields, a DAST scanner might see responses from the application that indicate vulnerability to SQL injection.
The market for DAST tools is about US $100M and growing. Larger vendors such as IBM and HP have made their acquisitions in this space and have integrated the capability into their development platforms. In addition, DAST tools are available from independent commercial vendors such as Accunetix, Cenzic, and NT Objectives .Open source alternatives are available as well – Nikto and OWASP’s WebScarab are mentioned most frequently.
Are DAST tools a waste of time and money? I don’t believe so. Despite our best efforts to produce and procure more secure code, applications will still have vulnerabilities. Rather than wait on the bad guys to find our vulnerabilities for us, DAST tools in the hands of a skilled professional can help identify vulnerabilities that we can then fix (or shield). Even if DAST tools (or static application security testing tools for that matter) aren’t perfect (false positives and false negatives), using them is better than not using them. In other words, a flashlight in a dark room is better than being completely in the dark.
What do you think?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.