Why a web vulnerability scanner is not enough to audit your website

 

The web vulnerability scanner is a useful automated tool, but it has inherent limitations in its design and operation that make it ineffective against certain types of threats

 

Is it feasible to perform a comprehensive web audit solely using a web vulnerability scanner? The short answer is no. While a good web vulnerability scanner is very effective at detecting a large number of common vulnerabilities and performing regular scans, its inherent shortcomings make it easier to exploit more complex and sophisticated vulnerabilities.

Relying exclusively on automated tools carries a high risk of leaving multiple avenues of attack open and unprotected. New threats are being developed daily to escape the generic rules the web vulnerability scanner uses, facilitating potential attacks that trigger severe incidents.

Therefore, it is essential to perform complete audits, including also manual web security audits, considering the human factor and business logic, identifying as many threats of different typologies as possible. Below, we will explore the advantages and disadvantages of using a web vulnerability scanner and what we can do to perform an audit with all the guarantees.

Advantages of a web vulnerability scanner

A web vulnerability scanner tries to identify vulnerabilities in web applications to be analyzed in an automated way. It allows a large number of pre-designed and configured security tests related to multiple types of vulnerabilities to be carried out. Many of these tools also include modules capable of performing a discovery phase to recursively enumerate the resources on which the tests will be launched later.

The usual operation of a web vulnerability scanner is based on a list of rules associated with different requests, which contain potential attack vectors. These rules are designed to detect specific patterns in the web application’s response to these requests, either by analyzing the application’s responses, measuring the response time or detecting interactions on external servers.

A web vulnerability scanner is particularly effective in detecting a wide variety of common vulnerabilities, especially those that do not depend on a thorough knowledge of the application’s business flows. This type of vulnerability is often the most exposed, as attackers tend to use the scanning tools themselves to quickly identify security flaws indiscriminately, covering a wide range of targets.

Another benefit of a web vulnerability scanner is that it can be run relatively regularly, allowing organizations to continuously monitor their attack surface for vulnerabilities covered by these tools.

The web vulnerability scanner and its limitations

The vulnerabilities that an automatic scanner can detect depend on the generic controls and rules that were previously configured. Their nature could be more dynamic, so they suffer from a low adaptation to changes and new contexts.

The main limitations of these automatic scanning tools are explained below.

Lack of contextual understanding

One of the biggest problems with web vulnerability scanners is that they need more specific business context and help to understand the application logic and workflows.

A generic automated tool would, for example, be unable to detect authorization issues that require a prior understanding of the roles played by the different roles in the application and their assigned permissions.

It would also not be able to identify vulnerabilities that depend on a flow of information between different logically interconnected functionalities or advance on forms that require information to be entered to meet certain business or formatting requirements.

Generation of noise and false positives

A web vulnerability scanner can generate considerable noise when detecting findings that do not provide real value. This case gives rise to what are known as false positives: bugs that do not exist or do not pose a threat because they cannot be exploited.

For the same reason, the web vulnerability scanner can also consider situations assumed by the organization itself as risks.

To avoid this noise, it is highly recommended that the findings be subsequently reviewed manually. This review can also help assess the risk of each finding based on an understanding of the business and the information affected.

Inability to detect new sophisticated threats

The automatic web vulnerability scanner usually relies on a database of known vulnerabilities and predefined attack patterns. This implies that the tool will not be effective in detecting looming threats that need to be registered.

Two of these types of threats are zero-day vulnerabilities and advanced persistent threats or APTs. Zero-day vulnerabilities are new threats with no previously registered signatures or patterns. Automatic scanners may only detect these emerging threats if they can adapt quickly to these changes.

Advanced persistent threats (APTs) involve sophisticated behaviour designed to evade detection by protection systems such as firewalls or WAFs. Automated web vulnerability scanners operate according to pre-established rules and have difficulty detecting vulnerabilities that require evasion of these systems. Human analysts are better equipped to identify and track these sophisticated patterns.

How can I perform a genuinely effective and reliable web audit?

Combining automated tools with manual analysis is essential to performing a genuinely effective web audit that identifies the most significant number of vulnerabilities of different natures.

On the one hand, the vulnerability scanner will help to detect a large number of common vulnerabilities that generally expose attackers without extensive knowledge. On the other hand, manual scanning by skilled and experienced personnel will crucially complement the detection of vulnerabilities that require an understanding of the context, the use or combination of advanced techniques and the evasion of protection systems.

These manual scans play a critical role in developing a robust cybersecurity strategy, as most vulnerabilities that require advanced techniques for detection or the combination of different attack vectors can only be covered by manual scans.

In addition, during manual analysis, information can also be extracted that helps to decide which automatic tools are more suitable for each situation based on the functionalities detected and the architecture and establish a more efficient configuration.

In short, approaching the security analysis of a web application from only one of the two approaches (automatic or manual) increases the risk of not identifying essential vulnerabilities, and a combination of both is necessary to leave nothing to chance. Today, there are easy and accessible solutions for performing a web security audit, which make it possible to ensure that the web application is prepared to repel the potential attacks to which it is exposed.