Larry Suto, an application security consultant, recently published a sequel to his 2007 best seller research about web application scanners, which drew much attention from the industry because he claimed that scanners do not perform as well as advertised. In his sequel, Larry elaborates and updates his initial findings by testing various vendors solutions, such as, Acunetix, Portswigger.net BurpSuitePro, Cenzic’s Hailstorm, NT Objectives’ NTOSpider and among others, and found yet again that most Web application scanning tools missed vulnerabilities and generated false positives. While Larry’s findings are quite interesting, businesses should never rely solely on a single solution.
In this particular instance, we always urge the use both scanners and WAFs for an added layer of security. In fact, these two technologies are melding together today, as we see from the analyst community, such as, Chenxi Wang in her recent report, Web Application Firewall 2010 And Beyond. Stand alone security solutions are almost nonexistent within the industry today. Ofer Shezaf states in his post, WAFs are not perfect, but is any security tool perfect? no single security solution is sufficient—only combining multiple defense mechanisms would provide adequate security, which still does not imply 100%.