Software for Enterprise

The Importance of Web App Vulnerability Scanning and its Benefits

Breaches and hacking attempts have become an almost daily occurrence at the moment.

This has been caused by the growth of IoT and cloud technology which has increased access to potential hackers.

Bad actors are making use of this new technology to damage your business or to steal from you.

Whether it’s your applications, infrastructure, or databases, IT professionals know how crucial it is to keep sensitive information safe.

The best way is to maintain a layer of protection between intruders and sensitive data.

According to CyberCrime Magazine,

60% of small companies go out of business within six months of falling victim to a data breach or cyber attack

What needs to be protected and monitored within an organization’s core systems?

What causes a website or web application to be hacked?

Being a developer myself, I have encountered several occasions when developers are given unreasonable deadlines to complete developing a web application.

Despite highlighting the potential problems especially those related to security, the project manager can only tell us to “Just Get it Done”!

The security loopholes that potentially could be overlooked include:

As deadlines are met and workload eases, businesses must ensure to really look into the security aspects of their systems.

In this post, we will look at how businesses can benefit from utilizing a web app vulnerability scanning tool to counter the potential security loopholes mentioned above.

Recommended web app vulnerability scanning tool

When it comes to vulnerability assessments, the tool that comes to my mind has to be Tenable.

Tenable has security solutions for various industries ranging from automotive manufacturing to the oil & gas industry.

Tenable’s solutions are geared towards the following security requirements most businesses need:

One key product that will be covered in depth today is Nessus Professional – the vulnerability scanning tool your business needs.

Since I had an interest in securing web applications, I gave Nessus Professional a trial just to see how easy or difficult the tool is to use.

After downloading the Windows version, the application got installed within 30 minutes.

The first initializing step involves downloading the plugins required by Nessus to work.

The next step allows me to choose how I would like to deploy Nessus:

Nessus Essentials is the “Home and Education use” version of the Nessus Pro product that has a limit of 16 IP addresses for vulnerability scans.

Nessus Pro allows unlimited IP addresses to be scanned with one license.

To fully discover what Nessus is capable of, I’ve proceeded to choose the Professional version which comes with a 7 days trial.

The next step would be to enter the activation code which is obtained when logged in to Tenable Community.

The last step would be to create a user account before it proceeds to complete the installation process.

Once the installation completes, a browser launches with a login page.

Upon signing in, I was quite impressed with the various types of vulnerability and compliance scans that Nessus Professional offers.

The various types of vulnerabilities scans include:

Although I was tempted to try out each vulnerability scan, I proceeded with the Web Application Testing scan to see what security issues might be discovered.

This is where a web application test scan can be defined and scheduled.

Although the scan and be executed manually, the ability to schedule a scan is a crucial feature to ensure that applications are constantly being monitored.

Most applications are developed by not just 1 developer but several developers.

Businesses cannot allow the mistake of a single developer to cause the system to be exposed thus the need for the scan to run on a schedule.

Email notifications can also be configured to send a report of the scanned results.

From the discovery section, the scan type allows for all ports or common ports to be scanned.

The custom scan type allows detailed discovery settings for more advanced users.

From the assessment section, I can choose to scan for known web vulnerabilities which include:

Most web applications’ landing page has a login form.

The credentials tab allows the username and password to be specified and checked against.

Since I got curious to find out if this site has any vulnerabilities, I ran a scan on it, and here are the findings.

I’m glad that Nessus found a vulnerability where I left a PHP file containing the output of phpinfo() in there.

Clicking on the Medium severity issue led to a page with the following description

Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function ‘phpinfo()’ for debugging purposes. Various PHP applications may also include such a file. By accessing such a file, a remote attacker can discover a large amount of information about the remote web server, including :

  • The username of the user who installed PHP and if they are a SUDO user.
  • The IP address of the host.
  • The version of the operating system.
  • The web server version.
  • The root directory of the web server.
  • Configuration information about the remote PHP installation.Solution: Remove the affected file(s).

Without hesitating I quickly FTP into my server to remove the file.

Photo by Klaus Nielsen

I’m glad to say that Nessus Professional does work very well and it’s definitely worth the time to discover such a security tool all businesses need.

The benefits that this tool provides include:

  1. Accurate visibility into IT systems whether internal or on the cloud.
  2. Easy to deploy, implement and maintain.
  3. Users get to benefit from Tenable’s Zero Day Research Team
  4. Advanced detection and cost-effectiveness for businesses of all sizes. (Hey, there’s even an Essentials version for Home and Education purposes.)

Look no further for other vulnerability scanning tools as your search should end with Tenable’s Nessus Professional.

Check it out today!


Exit mobile version