Interview with Kevin Vella of Acunetix
Hello Mr. Vella, could you please tell us a bit about yourself and your role at Acunetix?
First of all thanks for the interview Don.
Just as a brief run through, my background is business development and I hold a first degree in Business Management from the University of Malta and an MBA in e-business from the Grenoble Graduate School of Business in France. I started out in IT back in 1994 when I worked in Italy for a national value-added distributor of networking products. At the time I was involved in developing reseller channels for Cisco, HP and Digi, primarily. Later I worked with the Internet Service Provider branch of a telecoms provider developing their international business. Until recently I was responsible for the marketing communications and public relations functions at Uniblue Systems. Last May, I joined Acunetix as Vice President Sales and Operations. My primary role at Acunetix is to develop a reseller channel to drive sales. I am also heavily involved in marketing the organization and our products. Since our product has a high technology content, I am also involved in researching the theme of web application security both to assist our sales team and to help our resellers overcome the general lack of awareness of the market in such issues.
Web application scanners like most other computer security programs are prone to false positives. How does Acunetix go about trying to cut down on them?
I am glad you have asked this question. Allow me to answer you in a bit of a roundabout way:
Heuristics are one way of reducing false positives. Acunetix Web Vulnerability Scanner (WVS) is a heuristic web application scanner rather than a signature matching engine. This is an extremely important distinction. Signature matching engines behave in a fashion similar to most anti-virus products. Standard antivirus products scan for thousands of known viruses including old known viruses, even ones that were created for old Windows 3.x systems. In this day and age you would rarely encounter this OS but in the minds of consumers what is most important is "how many viruses does this software detect?" In reality, having the latest AV will give you protection for all but the viruses running in the wild. And it is these viruses that create the greatest damage.
True web vulnerability scanning does not hinge on establishing a vulnerability definition database of exploitable vulnerabilities of known applications/servers/systems against which a website and applications are tested. This is a common misconception and, unfortunately, the majority of web vulnerability scanners operate in this way. It is easy to research and maintain a strong vulnerability database - a quick search in the Internet yields massive volumes of regularly updated vulnerabilities - the results will help little in assessing whether your custom web applications are truly vulnerable to the likes of aggressive hackers interested in the pay-offs from stealing (not just disrupting) your data.
What is needed then is greater intelligence and automation, in essence creating a tool that emulates a hacker's behavior and includes the full repertoire of techniques used. For example, signature matching scanners first check whether you have application Brand X version 2.1 and then alert you that release Brand X 2.1.1 is out which patches against an SQL injection vulnerability. This model is more prone to false positives.
On the other hand, heuristic scanners will launch SQL Injection attacks on your web app to ensure whether your application is actually vulnerable to the hacking technique.
It is only a handful of products that deploy rigorous and heuristic technologies to identify the real threats. Before automation all this was done manually and was therefore a laborious and time consuming project. Automation assisted web application developers and security consultants to reduce the time that they spent on "pen-testing".
Automation is an invaluable aid and the accuracy of a scan depends on (a) how well your site is crawled to establish its structure and various components and links, and (b) on the ability of the scanner to intelligently leverage the various hacking methods and techniques against web applications.
Automated scanning will lead to false positives. Of course, this level of technological complexity does not lead to zero false positives. That is impossible. An automated scan will always generate false positives whichever product you use.
We always recommend automated scans to be supplemented with manual scans - this is probably one of the points that all security experts emphasize. Sadly, companies do not recognize the importance of the manual input. If you want your web applications to be secure you must spend a considerable amount of time checking the automated side of things. This is not to say that automation is inaccurate - on the contrary, it is very accurate and has cut down on much of the work. The automated scan will help you flag the possible problems including the false positives and prompt further manual investigation.
In this light, I would prefer to have a false positive than no flag at all.
In conclusion, our development team invests much in improving the quality of the automated scan. Much effort is also invested in providing the user with the widest repertoire of hacking techniques and tools possible to enhance the value of our product to our target audience.
What advantage does a security professional get by using the Acunetix web application scanner over an HTTP proxy like SPIKE or BURP?
HTTP proxy is only one of the tools that are contained in Acunetix WVS. A security professional would use the HTTP proxy tools within Acunetix to actually analyze the traffic between server and client and to view each individual request and response. Also, our proxy allows the security professional to trap these requests and responses and, in real-time to change the data that passes to and fro.
Does Acunetix have security researchers who actively research new and emerging web application or web programming vulnerabilities, as a means of keeping the web application scanner up to date?
Keeping up to date is paramount, otherwise our product becomes outdated and the value we want to provide security professionals will fade quickly. It is critical to focus on emerging technologies and emerging hacking techniques, as explained earlier. We have researchers in both areas.
Does the Acunetix web application scanner integrate with any other products that you offer?
Acunetix is a single product organization!
Does Acunetix offer any guidance or whitepapers to security professionals that would help them use the Acunetix web application scanner?
Always. We have a lot of useful information on www.acunetix.com and visitors are not required to register in order to access this information. Also, our resellers offer first line support to all Acunetix customers, so no stone remains uncovered in our efforts to provide our end-users with value.
Are there any online support packages that someone could purchase to help with using the Acunetix web application scanner?
Customers may buy maintenance agreements that would help them iron out any support issues; and, our resellers usually train them in operating the product. In certain instances we also organize short Webex training sessions to assist customers if they get stuck.
Recently we have also launched a new service called SiteAudit where customers would buy a number of scans. We conduct the scans on their behalf and then discuss the findings with our customers. We report our findings and recommendations and all they would have to do is fix the vulnerabilities. This service is ideal for those organizations that do not have (or do not want) access to specialist security knowledge. Software outsourcing has gained steady popularity over the past couple of years and this service is ideal for smaller organizations or for those organizations who cannot (or do not want to) justify security assurance.
Is the web application scanner resource heavy ie: can one do other work from the computer doing the scan?
This really depends on how many sites you are scanning, the number of pages each site would have, whether you have many images, the number of links and a variety of other factors. As such, Acunetix is not resource heavy. If you have one site to scan you'll manage to do other work but if you have 10 sites you may find it difficult.
Is the Acunetix web application scanner a standalone application or are there also other programs that ship with it?
Acunetix WVS ships with a Web Vulnerability Editor, a Scheduler and a Troubleshooting tool all accessible through the main interface. The Acunetix Web Vulnerability Editor allows you to add your own tweaks to the hacking techniques already included and also allows the addition of new techniques.