Monday, October 8th, 2007
It looks like some of the most expensive security scanners can’t handle Ajax code. Information Week reviewed and tested 5 pricey application scanners, including software from IBM & HP, and all, sans IBM’s scanner, failed to pinpoint vulnerabilities with Ajax code:
With the exception of IBM(IBM)’s Watchfire AppScan, automated Web application scanners are simply not yet up to the task of finding security flaws in Ajax code. And it’s not like we made it hard on them: The Ajax applications we used in testing were relatively simple. None of the vulnerabilities we expected our scanners to find was advanced or required complex analysis of client-side code. Rather, they were traditional Web application security vulnerabilities, just exposed through an updated Ajax interface. As long as the scanners being tested could navigate the application, identifying the vulnerabilities should have been a walk in the park.
This doesn’t bode well for companies that are relying on some form of automated testing to provide a baseline for their application security assessment efforts.
The full 5-page review can be found on Information Week’s site.
Posted by Rey Bango at 8:30 am