Some web security experts state that automated web application security scanners are not a good enough solution to secure your websites and web applications because they do not detect all web vulnerabilities.
As a matter of fact automated web application security scanners will find technical vulnerabilities such as SQL Injection and Cross-site scripting (XSS), but they cannot detect logical vulnerabilities. Having said that, on the contrary to what web security experts say, online businesses still need to invest and use web application security scanners to scan and secure their websites. Let’s take a look at some statistics and other web application security documentation to find out why.
OWASP is a non profit organization which advocates web application security awareness. After analysing statistics of web application hacking attacks happening all over the world, OWASP publishes a list of the top 10 most critical web application security risks, i.e. the most commonly exploited web vulnerabilities.
The most common technical web application vulnerabilities detected by Netsparker, such as SQL Injection, Cross-site scripting, Injection Flaws, Invalidated Input etc have made it to all of the OWASP Top 10 lists which were released in 2004, 2007, 2010 and 2013.
Each year, companies such as Verizon release an end of year report which includes statistics about the hacking incidents that happened throughout a particular year. From the 2013 Verizon data breach report we can see that 52% of the data breaches happened through web application hacking. Most of such attacks were successful because a technical vulnerability such as SQL injection was exploited.
Last year several other reports were released by well known brand names, such as Barclays, where they claim that more than 90% of the hacking incidents and data breaches are due to SQL Injection.
Security firm Firehost just released its Q1 2013 web hacking attacks statistics where they detail the type and numbers of the most dangerous hacking attacks blocked by their firewalls. Cross-site scripting vulnerability attacks ranked first, amounting to 40% of all attacks. SQL Injection vulnerability attacks have had the second most significant increase in frequency when compared to last year.
One thing that we cannot deny is that low hanging fruit technical web vulnerabilities such as XSS and SQL Injection are still the most commonly exploited vulnerabilities. A web application security scanner such as Netsparker will detect these web application vulnerabilities in your websites and web applications and help you secure them.
Logical vulnerabilities should not be ignored, but as seen from the statistics these are rarely exploited. My recommendation is to first focus on the obvious; fixing of technical web application vulnerabilities. Hackers use automated tools to scan large number of websites every day and detect technical vulnerabilities to exploit them, so that is what they are going after first. Once the technical vulnerabilities have been addressed, then you can proceed and fix the rest.