IBM White Paper Sample

Research has shown that a vast number of Web sites are vulnerable to Web application attacks and that a great percentage of these attacks occur over the HTTP/S protocols, ports that are often exposed to the entire online community. With these facts in mind, it’s essential for organizations to take serious measures to help secure their Web applications.

As Web applications become increasingly complex, tremendous amounts of sensitive data -- including personal, medical and financial information -- are exchanged and stored. Consumers expect and even demand that this information be kept secure. There are two primary methods for discovering Web application vulnerabilities: using manual penetration testing and code review or using automated scanning tools and static analysis. The purpose of this paper is to compare these two methods.

Evolving testing techniques
Manual security penetration testing is one of the oldest methods for discovering application vulnerabilities. Over time, as the frequency of attacks has grown and application complexity has increased, specialists known as penetration, or “pen,” testers have emerged. Their sole purpose is to find and exploit Web application security problems. In the late 1990s, companies began developing automated Web application testing techniques. By that point, the Web had become more mature, and Web browsers were beginning to be able to handle the complexities of dynamic applications. The goal of these early automated testing tools was to automate the process of discovering a Web application and inject faults into it to help discover vulnerabilities.