Webnetics UK Ltd. - Forums
Secure Web Applications - Printable Version

+- Webnetics UK Ltd. - Forums (https://www.webneticsuk.com/forum)
+-- Forum: News & Announcements (https://www.webneticsuk.com/forum/forumdisplay.php?fid=2)
+--- Forum: VWDesigns Blog (https://www.webneticsuk.com/forum/forumdisplay.php?fid=12)
+---- Forum: Security (https://www.webneticsuk.com/forum/forumdisplay.php?fid=15)
+---- Thread: Secure Web Applications (/showthread.php?tid=6)



Secure Web Applications - webnetics - 26-11-07

Writing secure web applications is a difficult business. You can assemble a team of the best developers, put their work through the most intensive testing, and bugs and vulnerabilities will still be uncovered later. If you're responsible for a complex site with custom PHP applications, say, then that's a real worry. So how can you ever get an accurate feel for your site's security?

Perhaps the best answer is to find yourself a web vulnerability scanner. This is a program that will look at your site and its structure, analyse any applications and check for cross-site scripting, SQL injection and potential vulnerabilities. These tools can't offer a aro per cent guarantee, as they're looking for known security holes and exploits: your site may come up clean and still be vulnerable to a-new hacking technique that's discovered next week. This isn't likely, though, and at least in the meantime you can be sure that your set-up has been tested to a known standard.

These are powerful applications, but there's a price to pay for it. The Acunetix Web Vulnerability Scanner for instance, is an excellent tool that can analyse JavaScript, Flash content, Soap and Ajax, as well as run through some very in-depth cross-site scripting and SQL injection tests. It quickly indexes even the largest sites, and produces reports that clearly point out the problems, even if you're not a developer. But to buy a licence to check just one site will cost you about £750, and if you want to scan any site, the price leaps to £3,750.

Are these prices really worth paying? For large companies, yes. Tasking someone to manually audit a site once would cost more than £750. And if you're a consultant who offers security advice to companies, then the ability to include accurate vulnerability reports should help you earn more than enough new business to pay for the software.

However, there are cheaper alternatives. Gamasec offers marginally less detailed testing for a much lower price (from £100 per scan on a pay-as-you-go basis).

Online scanning services such as AlertSite can save you money, and include free trials. There's a free version of the Acunetix scanner that checks only for cross-site scripting problems, and there's the classic open source Nessus, which works best on Unix (www.nessus.orct).