Demonstrating web application compliance with various security standards and practices is crucial in many industries. To help scan applications and prepare reports for common web security compliance requirements, Netsparker comes with a host of predefined compliance checks and reports, including PCI DSS, OWASP Top 10, and HIPAA.
What’s with All the Acronyms?
Awareness of web application security and the consequences of potential breaches is growing. Customers, business partners, management, and regulators all want to know if applications are secure – but how do you demonstrate this? To establish a common baseline, various organizations have created their own information security checklists. These vary in scope and purpose, from best-practice web vulnerability classifications to comprehensive guidelines for high-risk industries like payment processing.
Netsparker provides a number of built-in checks and reports that cover web vulnerabilities relevant to the most popular classifications:
- PCI DSS: Payment Card Industry Data Security Standard
- ISO 27001: International standard for information security management systems
- HIPAA: US Health Insurance Portability and Accountability Act
- OWASP Top 10: Most dangerous web application vulnerabilities according to the OWASP Project
- SANS Top 25: Most dangerous software errors compiled by the SANS Institute, corresponding to top CWEs
The Benefits and Limitations of Predefined Reports
Security standards and classifications provide a common language for talking about web application security. For example, instead of listing all the procedures they follow, organizations can simply say they are PCI DSS or HIPAA compliant. Customers evaluating web application vendors might ask about OWASP Top 10 compliance instead of listing all the typical vulnerabilities that applications should be tested for.
Having predefined compliance reports in Netsparker is a real time-saver and eliminates the need to manually find and configure all the required checks and reports. For PCI DSS reports, you can officially confirm compliance with just a few clicks, without the hassle of directly dealing with an approved scanning vendor. Built-in reports also help to ensure that you are always following up-to-date specifications.
One limitation to bear in mind is that, by their nature, compliance reports only cover a limited subset of the many hundreds of security checks supported by Netsparker, so being compliant is not always the same as being secure. For example, if you generate an OWASP Top 10 report from a scan, it is possible that you will see no issues in the report, even though the scan found multiple other vulnerabilities not listed in the OWASP Top 10. For this reason, the built-in reports should be seen as a starting point for defining customized scan policies to optimize vulnerability scanning.
Best-Practice Compliance Reports
OWASP Top 10
The Open Web Application Security Project (OWASP) maintains and periodically updates a list of the top 10 web application security risks. It is not an official standard or even a detailed specification but rather a guideline document that provides a starting point for secure development. The OWASP Top 10 was most recently updated in 2017 and this is the version available in Netsparker’s predefined reports.
For more information about generating OWASP Top 10 reports, see the Netsparker support page for the OWASP Top 10 2017 report.
SANS Top 25
The Common Weakness Enumeration (CWE) is a list of hardware and software weakness types. Based on the CWE database, the SANS/CWE/Mitre Top 25 gathers the most common and dangerous software errors. Note that unlike the OWASP Top 10, these apply not just to web applications but to software development in general. Available only in Netsparker Standard, the SANS Top 25 report includes vulnerabilities that correspond to weaknesses (CWEs) covered by this list.
For more information, see the Netsparker support page for the SANS Top 25 report.
Regulatory Compliance Reports
Developed by the PCI Security Standards Council, DSS is an information security standard that defines 12 data security requirements for companies that handle payment card transactions using web applications. It is a mandatory compliance requirement for payment processors and the de facto security standard for the e-commerce industry.
All versions of Netsparker include general PCI DSS compliance reports alongside other reporting options. These can help to identify problem areas and remedy issues, but they are not official documents and do not certify compliance. However, working with a PCI Approved Scanning Vendor (ASV), Netsparker now offers the option to run a PCI DSS scan and get an officially approved compliance report. To do this, simply select the dedicated PCI scan option (not a regular PCI scan profile) and once the scan successfully completes, choose one of the available reports.
For more information, see the Netsparker support page for the PCI DSS compliance report.
The approved PCI scan feature is only available for Netsparker Enterprise on-demand and for websites with the agent mode set to Cloud.
The ISO 27001 standard describes requirements for information security management systems (ISMS). More specifically, it lists the controls and objectives to increase, develop, and manage data security. It is widely used to certify that organizations meet the requirements for safely storing and processing confidential data, including financial information, intellectual property, and personal information.
Netsparker includes an ISO 27001 compliance report that covers vulnerabilities relevant to information security management. Note that this report is for information only and does not certify official ISO 27001 compliance – you need a full ISO certification process for that.
For more information, see the Netsparker support page on the ISO 27001 compliance report.
Healthcare institutions in the US are subject to the Health Insurance Portability and Accountability Act (HIPAA), which defines the requirements for the secure storage and processing of medical and personal data by healthcare providers. With medical organizations now a major target for cybercriminals, HIPAA compliance is vital not only to avoid fines but also to protect patient data and prevent costly breaches and downtime.
Netsparker comes with a built-in HIPAA compliance report. Again, note that this report is for information only, allowing organizations to identify and mitigate issues before seeking official HIPAA compliance certification.
For more information, see the Netsparker support page on the HIPAA compliance report.
All Reports Are Not Created Equal
A final thought to keep in mind when talking about any assurances for web vulnerability testing. You can confirm or even certify that you ran all the checks in the book, but the resulting level of security heavily depends on the methods used. For example, saying your web application is compliant with OWASP Top 10 simply means: “We know about cross-site scripting, SQL injection, and all the other vulnerability classes in the OWASP Top 10, and we’ve done some testing to eliminate them”.
The problem with web security is that, for any sizable application, you can never truly prove that no vulnerabilities exist. You can have all the compliance approvals in the world and still get hacked because something was not found in testing. Compliance reports are a great starting point and provide a common language for web security discussions, but in the end, your security and reputation depends on the quality of vulnerability testing, not on the checklists you use.
So next time somebody asks you about OWASP, SANS, or any other type of compliance for your web application, make sure you also tell them you use Netsparker for testing. That will mean a lot more than yet another compliance logo.