The Cracker Eye View of Web Site Security with Web Vulnerability Scanner (
Page 1 of 4 )
Review: Most products scan your code for deficiencies; Acunetix' Web Vulnerability Scanner checks the Web pages using the same techniques that crackers use. It's good, and does what it promises, but our reviewer finds this software just a mite too
You can look at Web site security problems from several different perspectives. Many products, for instance, address security from the developer's perspective, such as SecureObjects (which I reviewed a while ago); it checks your code for every possible security breach. Nothing's wrong with this approach, but it can leave gaps in your Web site security, because some development environments — such as ASP.NET — add code to your Web page in the background. To check for security issues that occur after the code leaves the development environment, you also need to examine your application's deployment from the cracker's view — such as is provided by Web Vulnerability Scanner from Acunetix Ltd.
You do need both the "cracker eye" view and the developer view to create a Web site that is both secure and reliable. The developer view tells you whether your code is correct and if it follows best practices. However, you may be surprised to learn that you can write code that follows all the rules and still leave security holes.
Most of these vulnerabilities occur due to two problems. First, ASP.NET (and other products on the market) add code behind your back. For example, when you add a Validator control to your Web page, ASP.NET automatically adds script to support that control without telling you.
Also, the presence of good code doesn't mean that the settings are correct. For example, you can create a RegularExpressionValidator control for your Web page and configure it incorrectly. Even with the control in place, a cracker could send a specially formatted message that would cause problems for your system. The cracker eye view helps you locate problems of this sort. It's the reason you need a product such as Web Vulnerability Scanner.
This software doesn't check your code. Consequently, it can tell you that a cracker could circumvent your security by using a SQL injection attack, and it can tell you which Web page is susceptible to the attack, but it won't tell you how to fix your code. The important thing is that you can detect the problem as someone outside your company will see it.
