IBM Podcast Web Vulnerability Scanning:market Insight Template v4 ...

“We Accelerate Growth”
Web Vulnerability Scanning
Podcast

For businesses of all sizes, their websites represent an irreplaceable public-facing presence. Consequently, blips
in website operations be it functional disruptions, irregular response times, or doubts about the safety of
private information casts a deep and lasting shadow on a business’ brand image and vitality.
Ironically, the same open access that makes websites invaluable is also its greatest risk. The reality of publicfacing
websites is that those with malicious or criminal intent enter through the same front door as legitimate,
non-malicious website users. Guarding against hackers and cyber criminals while still providing a rich and safe
experience for legitimate users is essential. Meeting these goals, however, is unattainable if the website owner
does not understand the full extent that its website is vulnerable to exploitation and takes proactive steps to
remediate.
Web vulnerability scanning is a security improvement technology that puts website owners on the offensive in
identifying and closing their website security vulnerabilities. Left unaddressed, vulnerabilities represent a
welcome mat for hackers and cyber criminals to engage in unauthorized and destructive website activities.
Conversely, recognizing and then closing website vulnerabilities after a security incident is clearly an
undesirable defensive and reactive situation.
To place web vulnerability scanning into perspective, it mirrors the vulnerability detection objective of manual
penetration testing but without the heavy price tag and operational challenges. By emulating and automating
pen tester’s processes in software, web vulnerability scanning equips website owners with a tool to routinely
gauge the security strength of its website.
Another means to conceptualize web vulnerability scanning is to think of a website as a series of gateways that
define the boundaries of allowable visitor activities. Soft boundaries represent the essence of website
vulnerabilities as they provide website visitors room to roam. Web vulnerability scanning identifies these soft
boundaries.
Identifying vulnerabilities is only half the battle. Modifying website software code and logic to close
vulnerabilities, stiffen the boundaries, is critical. Designed for people without pen testing experience, web
vulnerability scanning produces explanations and actionable steps on how to close vulnerabilities.
With so many security products on the market today, confusion on the purpose of each is possible. So, I will
take just a moment to describe how web vulnerability scanning is different and complementary to other
security products.
Network Firewalls – A network firewall is a defensive security mechanism that opens and closes network
communication ports based on traffic protocol and other identifiers. Network firewalls do not have visibility
into the website traffic to assess whether it contains malicious intent.
Web Application Firewalls or Network Firewalls with application visibility – These categories of
firewalls are also defensive security mechanisms. Their purpose is to block web application traffic that is known
to be bad and/or targeting a known set of generic website vulnerabilities. While beneficial in improving security,
these application level firewalls should be used with caution as setting policies to block web application traffic
too liberally can inadvertently interfere with legitimate website functionality. Furthermore, without a complete
understanding of the website, time consuming trial and error is required to tighten but not over tighten firewall
policies and these adjustments may never reach the customized level of improved security as web vulnerability
scanning.
© 2008 Frost & Sullivan Page 2
Web Vulnerability Scanning
Podcast

Web Vulnerability Scanning
Podcast
Network vulnerability scanning is not synonymous with web vulnerability scanning. Network vulnerability
scanning focuses on network devices to assess which are vulnerable and why. Network vulnerability scanning is
not designed to scan for and identify website vulnerabilities.
Web Vulnerability Scanning tests a website for weakly defined or penetrable boundaries. Through
identification of vulnerabilities, website owners can take deterministic steps produced from the scan to modify
its software code and reduce the number and the severity of vulnerabilities. In this regard, web vulnerability
scanning differs from the aforementioned firewall products in that it is preventive rather than a defensive
security technology. Web vulnerability scanning’s objective is to identify and eliminate vulnerabilities before they
become exploitable.
To derive the maximum benefit from web vulnerability scanning, the best practice is to integrate scanning into
all stages of website development and testing. Each stage provides a unique perspective on the layered and
interconnected nature of the website. Moreover, identifying vulnerabilities at their early stages minimizes what
can otherwise be a complex and time consuming process of code changes. In addition, websites once
implemented should also be scanned even if there hasn’t been a code change. Hackers and cyber criminals learn
and evolve their tricks quickly. Even without code changes, the vulnerability of a website will grow over time.
In closing, the best approach to improve information security is to be preventive. Web vulnerability scanning
used routinely and comprehensively assists website owners in avoiding being on the unhappy tail end of “pay
me now or pay me much more later.”
About Stratecast
Stratecast assists clients in achieving their strategic and growth objectives by providing critical,
objective and accurate strategic insight on the global communications industry. As a division of Frost &
Sullivan, Stratecast’s strategic consulting and analysis services complement Frost & Sullivan's Market
Engineering and Growth Partnership services. Stratecast's product line includes subscription-based
recurring analysis programs focused on Business Communication Services (BCS), Consumer
Communication Services (CCS), Communications Infrastructure and Convergence (CIC), OSS and BSS
Global Competitive Strategies (OSSCS), and our weekly opinion editorial, Stratecast Perspectives and
Insight for Executives (SPIE). Stratecast also produces research modules focused on a single research
theme or technology area such as IMS and Service Delivery Platforms (IMS&SDP), Managed and
Professional Services (M&PS), Mobility and Wireless (M&W), Multi-Channel Video Programming
Distribution (MVPD), Network Infrastructure and OSS (NIO), Secure Networking (SN) and Unified
Communications (UC). Custom consulting engagements are available. Contact your Stratecast Account
Executive for advice on the best collection of services for your growth needs.
About Frost & Sullivan
Frost & Sullivan, the Growth Partnership Company, partners with clients to accelerate their growth. The
company's TEAM Research, Growth Consulting, and Growth Team Membership empower clients to
create a growth-focused culture that generates, evaluates, and implements effective growth strategies.
Frost & Sullivan employs over 45 years of experience in partnering with Global 1000 companies,
emerging businesses, and the investment community from more than 30 offices on six continents. For
more information about Frost & Sullivan’s Growth Partnership Services, visit http://www.frost.com.
CONTACT US 877.GoFrost (877.463.7678) myfrost@frost.com www.frost.com