Page 55 - index
P. 55
Ability to cover web technologies
Most web applications use JavaScript, HTML5, Google Web Toolkit and Single Page applications.
A vulnerability scan crawls the web application to identify the pages, forms and elements that make
up a given web application. When choosing a web security scanner, it is important to go for a
scanner that is able to understand the intricacies of web technologies used in a variety of web
applications.
The scanner should also be frequently updated to ensure that it is able to crawl latest technologies
in future.
Ability to scan mobile friendly website applications
Several web apps have a friendly mobile version which is automatically loaded on tablets and
smartphones. Although they often provide the same functionality as the main website, they are also
just as vulnerable as the main site. Your website security scanner should be able to also scan the
mobile friendly site to ensure that it’s not exposed to web vulnerabilities as well.
Availability of manual testing tools
An efficient web security scanner should provide manual testing tools to verify some of the
vulnerabilities detected after an automated scan.
Grey Box testing
Several web vulnerability scanners provide black box testing since they are able to scan your
website without accessing the source code on the web server. A good web scanner should also
provide grey box testing which enhances the scan results by ensuring complete coverage of web
applications. It can also detect more vulnerabilities compared to black box testing.
Grey box testing also decreases false positives by providing supplementary validation and
information on the vulnerabilities detected.
While several web security scanners are authentic, you need to be careful on scanners that make
empty claims. Scanners claiming 0 false positives should be avoided at all costs since they may not
be showing vulnerabilities or they may fail to show that more testing is needed.
About the Author
Lee Ying has over 10 years experience in the tech and security industry. He currently writes for
various websites, if you would like to contact him you can find him on LinkedIn:
https://www.linkedin.com/pub/lee-ying/9a/18b/238. Follow me on Twitter @LeeYing101
55 Cyber Warnings E-Magazine – September 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
