Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners



Registration | Hotel | Walter E. Washington Convention Center

The presentation
The threat of cyber attacks due to improper security is a real and evolving danger. Corporate and personal data is breached and lost because of web application vulnerabilities thousands of times every year. Web application vulnerability scanners are tools that can be used by network administrators and security experts to help prevent and detect vulnerabilities such as SQL injection, cross-site scripting, and session hijacking. However, these tools have been found to have flaws and limitations. Research has shown that web application vulnerability scanners are not capable of always detecting vulnerabilities and attack vectors, and do not give effective measurements of web application security. This paper presents a method to analyze the flaws and limitations of several of the most popular commercial and free/open-source web application scanners by using a secure and insecure version of a custom-built web application. Our described method allows us to recommend improvements to web application scanner techniques that reduce the number of false-positive and false-negative results.

The speakers
Bios will be posted shortly