

Businesses should use automated tools to detect web application vulnerabilities - robert681
https://www.mavitunasecurity.com/blog/web-application-security-scanners-detect-technical-vulnerabilities/
There are several benefits to using automated web application security scanners to detect vulnerabilities.
======
616c
This is going to be somewhat of a rant.

My formal response to this is:

HAHAHAHAHHAHAHAHAHAHAH!

I work in the education industry, which has been often lauded for its tough
security stance (note the sarcasm), and you would be surprised how common,
CRUD apps do not pass muster. Zoho Corp's founder recently fielded a lot of
critical comments about his Salesforce CRM competitor product and other
products of Zoho-esque mediocrity. [0][1] I stayed out of it, but let me give
a shining turd example of such a product: their ticketing system: ManageEngine
ServiceDesk Plus. [2] We could not afford to purchase or implement something
larger, more garbage ticketing system, say like HP Service Manager (which has
the worst interface of any web application I have ever seen mind you, but it
is far more business-like for this enterprise-y world which the article is
addressing). We do, at a minimum, a Nessus scan for anything that requires FW
rules inbound and/or a SSL cert in our org. This did okay (other stories to
follow). Not soon after, many XSS vulnerabilities were found, in two versions.
[3] This is, mind you, an enterprise-y ticketing system geared for people who
do ITIL. Not only could they not publicly manage the situation, they show a
complete lack of change control/problem management their product and garbage
webpage embue. Now we only allow access behind our VPN; lord knows what would
happen if we exposed this garbage to public Internet.

I give this example as one of my such tales. Bottom-line: even some of the
priciest web applications would fail even rudimentary testing. We see it again
and again, and there is always, rest assured, some marketing a __hole pedaling
software to a non-IT manager, hooks them on it, and that guy refuses to accept
how something so polished is dangerous to the bottom line.

Frankly, I wish SOX-like/HIPAA/bank/government regulations were imposed on all
of us, and THEN fine any companies promising these standards for failure to
comply. The amount of garbage is staggering, and politics dictates software
marketing will always target the guys sitting above the technical people who
refuse when they know their product has "rough edges" (I say that because
every company we talk to about such things downplays sec vulnerabilities; not
once have I heard of one of our vendors handle it graciously, even big dogs
like Symantec brush us off).

[0]
[https://news.ycombinator.com/threads?id=sridharvembu](https://news.ycombinator.com/threads?id=sridharvembu)
[1]
[https://news.ycombinator.com/item?id=5836569](https://news.ycombinator.com/item?id=5836569)
[2] [http://manageengine.com/](http://manageengine.com/) [3]
[https://www.google.com/search?q=servicedesk+plus+xss](https://www.google.com/search?q=servicedesk+plus+xss)

------
ckozlowski
I concur with some of the other posters in that automated application
vulnerability detection is far from flawless (Heh.....far indeed.)

But that's not to say they aren't using them already. I used to perform high-
level security audits of networks. For our cursory app testing, we used:

\- Application Testing: HP Web Inspect
[https://download.hpsmartupdate.com/webinspect/](https://download.hpsmartupdate.com/webinspect/)

\- Database/Backend: AppDetective
[http://www.appsecinc.com/products/appdetective/](http://www.appsecinc.com/products/appdetective/)

Automated tools won't, by themselves, ensure you're bulletproof. But they do
use them.

------
mikegreen
I was going to say this kinda reads like an advertisement for your product.
But, after rereading, it is more advertisement than kinda advertisement :-)

