Security is a major component of application development and must be tailored to the environment and audience of the system. In many respects, the more widely available an application is, the more important security becomes. Properly testing and securing Web Services applications is a challenging task. A tool that facilitates this process and provides visibility into application vulnerabilities is the AppScan product from Watchfire.

AppScan is an application testing tool that performs security scans on Web applications and Web Services applications. In support of Web applications, AppScan can test server-side functions and vulnerabilities by interacting with the application in a client capacity. It also provides support for applications containing Flash and/or JavaScript, AppScan has the capacity to parse these components to navigate the application properly. When interacting with Web Services, AppScan acts as a SOAP client and provides tools for developers to manipulate inputs and evaluate those results. For the purposes of this review, the focus will be on AppScan's Web Services capabilities.

AppScan Approach
Application vulnerabilities are discovered using a three-phased approach: Explore, Analyze and Test. During the Explore phase, AppScan will interact with the web service like an end user (or SOAP client) by sending SOAP web services requests and receiving responses. Responses that indicate the presence of a potential vulnerability are logged for use during the Test phase. AppScan also submits multiple invalid requests to catalog the error responses. These responses are referenced during test validation.

In the Test phase, AppScan submits several requests to an application based on the results of the Explore phase. It applies a series of validation rules to the responses of each test to identify any potential security risks and rank the severity of those identified.

Finally, the Scan phase executes. From a process standpoint, the Scan phase will be based on the Explore and Analysis phases. Results from the Test phase typically supply additional application links that may be probed for security risks. The number of Scan iterations is user-configurable in AppScan.

Creating & Executing Tests
To test Web Services, AppScan must first parse the WSDL file associated with the application in question. Three sets of information are required to test Web Services:

1. The location of the WSDL file along with any applicable communications parameters including additional servers, custom error pages, explore phase parameters, and communications parameters such as proxy server credentials
2. Application authentication information, which may take the form of NTLM or HTTP authentication, or a client-side certificate
3. Testing policy information that includes the types of tests to run, the number of iterative scans to process, and the handling of application parameters and cookie data if applicable

With the WSDL file parsed, AppScan presents the user with an Explorer-like view of the service. Included in this interface is a component to call the service with user-specified parameters. This allows unit test cases to be incorporated into the process. For each value entered and submitted to the application, AppScan records the values for use during the Test phase.

Once the configuration of the Web Service is complete, AppScan begins the process of evaluating the application. The time required to analyze the application will vary based on the complexity of the system. Using the sample application provided, AppScan completed the process in approximately five minutes. The results of the test are shown in Figure 1.

AppScan classifies its findings into high-, medium-, low-, and informational-severity levels. Each finding is described in detail and referenced to a specific Web Application Security Consortium (WASC) threat classification. Information provided includes the URL that produced the result, a detailed description of the security risk, a recommendation for addressing the issue, and the raw request/response data.

Typically in a testing situation, there are scenarios that produce results that are expected but are still reported by AppScan as an error. To accommodate this possibility, AppScan provides the ability to mark a particular issue as a false positive. Finally, AppScan provides the capability to document the issue by adding comments and capturing a screen shot of the results page.

When using AppScan as part of this review, it quickly became evident that this tool can also be highly effective in the day-to-day development process. One possibility is to incorporate AppScan tests as part of nightly and/or milestone builds, using the results to target and resolve problem areas before they reach formal testing. In the long run, this approach can lead to a more efficient development and testing process, reduce the number of test cycles, improve the quality, and establish security as a philosophy across all segments of the development lifecycle.

Test Catalog
AppScan is packaged with a number of tests to do. The following is a list of the general categories and some example tests within the category:

• Privacy: Unencrypted password, GET parameter sensitivity
• Authentication: Bypasses or exploits for ASP.NET, Lotus Domino, JRun, Netscape, PHP, and others
• Authorization: Token prediction, access control bypasses, session expirations
• Client Side: Cross-site scripting, SOAP response splitting
• Command Execution: SQL injection, SSI injection, buffer overflow
• Information Disclosure: Directory listing, log file publication, predictable location of sensitive resources/directories
• Logical: E-mail parameter spoofing, non-SOAP Web Service access, Denial of Service

  Upon completing testing and remediation activities, AppScan can be used to generate reports that provide profiles of the application under investigation. There are many reports available categorized as follows:

• Security Reports: Summarizes the vulnerabilities found during the scan along with the recommended remediation steps
• Industry Standard Reports: Provides an analysis of the application against standards from the Open Web Application Security Project (OWASP); SysAdmin, Audit, Network, Security (SANS) institute; and the Web Application Security Consortium (WASC)
• Regulatory Compliance Reports: Analyzes the application against the requirements of several regulatory regimes, some of which include HIPAA, ISO, and SOX

Summary
All applications that are part of any corporation's portfolio have security implications, whether they are local to a user's desktop, private to a corporate intranet, or public-facing. Care must be taken not only to protect corporate assets, but to fulfill the regulatory requirements that govern the collection, utilization, and publication of data. Therefore, security should be a part of the entire lifecycle of application development. Watchfire's AppScan product is a simple and effective tool that can be easily incorporated into each phase of the development process, helping to identify and mitigate risks before they impose significant damage. (see sidebar)