Limitations of Automated Tools for Dynamic Web Application Security Scanning

They can only find technical flaws in applications, not logical flaws.

Application security scanners identify only around 30% of the most serious flaws that exist in large-scale web software systems. They cannot find the more serious vulnerabilities that are potentially painful to mitigate, such as architectural or design flaws that were introduced before coding or authentication and authorization issues. Additional testing is required to locate these types of security vulnerabilities, and the fix might include making architectural changes.

They don’t capture the internal state of application.

Black Box testing with automated scanners views the security state of an application from the outside looking in, mirroring the perspective of an outside attacker. It infers that certain vulnerabilities exist by sending inputs to an application and analyzing outputs. Therefore, it measures the security state of the environment in which application resides, but not the application itself. Because it does not involve a review of application source code, results can tell you what vulnerabilities exist, but not how or why they exist. This means that the results provide less input that is useful for remediation.

They require sophisticated users to drive them correctly.

In the hands of the wrong user, automated scanners can provide a false sense of security. The user must fully understand the limitations of automated web application scanners to properly train the tool to get thorough scans, determine how the information should be used, and what the next steps for remediation should be.

Scanning Is Only the First Step

Finding vulnerabilities is only the first step to remediation. ThreadFix, created by Denim Group, translates, de-duplicates and consolidates results from multiple sources, including dynamic scanning, to provide a simplified and prioritized list of software defects that accelerates software remediation efforts. As a result, security practitioners gain the ability to understand the security of their applications and efficiently conduct remediation. Learn more about ThreadFix, software for application security program management >>

Leave a Reply

Your email address will not be published. Required fields are marked *