Background
As a fast-growing medical research and development company, nothing is more important to Information Assurance Research than the security of the company’s proprietary information and customer and employee data. I am concerned that the company’s sensitive information stored at Reston Virginia and the data conveyed via the WAN is not well protected from web-based application attackers.
My proposal is based on research on various web-based applications security software in different online fora. I have also explored various studies on different security software and their effectiveness as well as affordability. My insight has also been drawn from customer experiences with the software, in addition to my own hands-on experience.
Following thorough research on the best security testing software in the market, I have come to the conviction that Acunetix is the best for Information Assurance. Acunetix is commercially available from Acunetix Ltd and it comprises of a free and paid version. This security testing software serves many functions, but essentially tests and reports on Cross Site Scripting testing and SQL injection. The software has the latest version of crawler technologies, which comprise of script analyzer engines for clients. It produces in depth reports, which focus on the identification of security issues and vulnerabilities. Acunetix WVS Version 10 is the latest version of the software. This version has several features including, login sequence recorder, automatic detection of malware and phishing attacks, database of 1,200 Word Press-specific vulnerabilities, and support and tools for single-sign-on as well as OAuth-based authentication.
Acunetix links up with website servers in order to establish all necessary details concerning web application platforms (such as .NET and PHP) and the web application configuration. When the Acunetix WVS scanner triggers the sensor, the sensor locates all possible information in the directory of the web application, including such files that are not linked through the website. The sensor also lists all web application inputs. Since the sensor now has knowledge of all kinds of inputs expected by the application, it is able to generate different kinds of tests on the web applications.
Acunetix AcuSensor allows for the identification of more vulnerability as compared to the traditional Web Application Scanner. In addition, the software is good at reducing false positives. Furthermore, the tool is capable of indicating the exact position of the vulnerability in the company’s code, with reports debugging information. Through the combination of black box scanning tools and the response from sensors situated within the resource code during the execution of the resource box, it is possible to increase the accuracy of the software (Choliz, Vilas & Moreira, 2015). Black box scanning does not indicate the reaction of application. On the other hand, source code analyzers are not able to comprehend the behavior of the application during an attack. Thus, better results can be achieved by combining these techniques, while using black box scanning and source code analyzers independently. Acunetix is the most effective Web Vulnerability Scanner in the world.
Benefits
Acunetix Website highlights the following benefits of the software (Acunetix, 2016):
Allowing the software personnel to sense and crack any vulnerabilities quicker due its capability to generate more details concerning the respective vulnerabilities including the affected SQL query, stack trace and code line number;
Significant reduction of phony positives through web scanning due to its ability to easily comprehend internal behaviors of the website;
Better detection of SQL injection vulnerabilities. Previous software detected SQL injection vulnerabilities only when there was a detection of database errors or availability of other similar tools;
Capability to ascertain all possible SQL injection vulnerabilities. Black box scanners cannot detect statements such as SQL INSERT statements;
Knowledge of all accessible and present files in website servers. In case a hacker accesses the company’s website and successfully generates phony files in the directory of the web application, Acunetix will find such files, scan them and then alert the client.
Interception of all inputs in the web application and creation of a wide-ranging list comprising of all potential web inputs, which are thoroughly tested.
Testing for all vulnerabilities related to creation of phony files and deletion of legitimate files. For instance, any hacker, probably working for our company’s competitor, is capable of generating a false file in the directory of the web application and consequently, executing it for purposes of gaining privileged access.
Testing for email injection. Malicious users are capable of appending additional information with the intention of tarnishing the reputation of the company or damaging the company in any other way.
According to Amit et al. (2013), an advanced execution monitor such as Acunetix Web Vulnerability Scanner is capable of monitoring computer software application in its execution for purposes of detecting the location of attacks by black-box tester, happening within computer software application. This helps to identify the instructions with computer software application that represent security vulnerabilities. The execution monitor communicates the vulnerabilities to the scan manager.
Another study by Tung et al (2014) explores the effectiveness and efficiency of automatic web vulnerability scanners in terms of locating security vulnerabilities. The authors posit that the purpose of web vulnerability scanners is to stress the applications from the perspective of the attackers through the issuance of a significant amount of interaction within respective applications. SQL injections and Cross Site Scripting (XSS) are considered the two most widely spread and dangerous vulnerabilities in web applications (Dukes, Yuan and Akowuah, 2013). It is important to invest in a reliable web vulnerability scanning tool. Effective web vulnerability scanning software should provide sufficiently for coverage and false positive rates. Their research on three leading commercial scanning tools indicates that Acunetix is the most effective software.
In my hand-on experience, I have encountered and sorted out vulnerabilities presented by Internet Information Services and Apache. A default Apache application comprises of various pre-defined modules that are only useful when needed. It is important to have these modules turned off for purposes of preventing targeted attacks. This is also applicable to Internet Information Services (IIS) in the Microsoft’s web server. A default IIS can serve many application types such as ASP and ASP.NET. The list of application extensions should only have those that are being used by the web application. It is also important to restrict all web application extensions to using specific HTTP verbs only, where possible.
The pricing of Acunetix is fair. As presented on the website, a one year subscription for on-premise Acunetix vulnerability scanner costs $2,495 on the minimum and $5,495 on the maximum depending on whether its enterprise or consultant. This is the most convenient application for our company since it is on-premise, and it is inclusive of all support services as well as the hardware necessary for installation and operation of the application.
ACunetix has been embraced by many customers in the E-commerce, finance, banking, telecommunications, educational, military, and government sectors, including many Fortune 500 companies. According to Benjamin De Point of Catertrax, Acunetix has played an important role in keeping the company’s application stronger, thus assuring client about the safety of their data.
Conclusion
I advise the Executive Team to consider purchasing Acunetix Vulnerability Scanner in order to protect the company’s sensitive data. The protection of the data will keep the company in constant growth since we will not encounter any attacks, which may be used to send a bad signal to our clients and tarnish our reputation. In addition, with the software, there is no fear of loss of data, time and revenue.
References
Acunetix Website. AcuSensor Technology: Ups detection rate, reduces false positives. Retrieved from: http://www.acunetix.com/vulnerability-scanner/acusensor-technology/
Amit, Y., Hay, R., Saltzman, R., & Sharabani, A. (2013). U.S. Patent No. 8,510,842. Washington, DC: U.S. Patent and Trademark Office.
Choliz, J., Vilas, J., & Moreira, J. (2015, August). Independent Security Testing on Agile Software Development: A Case Study in a Software Company. In Availability, Reliability and Security (ARES), 2015 10th International Conference on (pp. 522-531). IEEE.
Dukes, L., Yuan, X., & Akowuah, F. (2013, April). A case study on web application security testing with tools and manual testing. In Southeastcon, 2013 Proceedings of IEEE (pp. 1-6). IEEE.
Tung, Y. H., Lin, C. C., & Shan, H. L. (2014, April). Test as a Service: A framework for Web security TaaS service in cloud environment. In Service Oriented System Engineering (SOSE), 2014 IEEE 8th International Symposium on (pp. 212-217). IEEE.
