Application Scanning Tools

[Application Scanners]...are specialized to inspect a specific type or types of applications...for known security weaknesses...

Some scanning tools are specialized to inspect a specific type or types of applications (for example, web or database server applications such as Apache or Microsoft® SQL Server) for known security weaknesses. These products are called Application Scanners. They normally would be run against an application before putting it into production on the Internet, and then can be rerun periodically to insure that no newly discovered exploits exist in the application.

SecurityAppraisers® installs and maintains the following Application Scanning Tools:

Product Manufacturer Protected Applications Platform(s) it runs from Price
AppDetective Application Security website MS-SQL, DB2, Oracle, Lotus Notes Windows $1,170
ScanDo KavaDo website Apache, IIS Linux, Windows $6,000
WebInspect SPI Dynamics website Apache, IIS Windows (except NT 4) $6,000-25,000
ApScan Sanctum website Apache, IIS Windows $15,000-35,000
Products are listed according to price sort order (ascending);
your individual requirements should be the most important factor in choosing a product.

"How does an Application Scanner work?"

It employs a database of all known application exploits, vulnerabilities, etc., and tests to see if each exploit could be perpetrated (without actually following through with the destructive aspects of the exploit). Any exploits the scanner sees it could accomplish are brought to the attention of the application's developer in the form of a report.

"How is it different from a Virus Scanner?"

A Virus Scanner sees if malicious code is already present on a computer, whereas an Application Scanner brings to the attention of a developer those portions of an Application that are likely to be infested and/or exploited.

"If I use an Application Scanner, will it then be impossible to 'hack' my application?"

No. It will only identify all known exploit opportunities that exist in your application. Work remains to be done to further remove the possibility for exploit (so the scanner should be rerun after the application developer thinks s/he has secured the application). If an application:

  • is written according to principles of rigorous security design; and
  • has round the clock monitoring configured for it to alert support whenever anomalous events arise,
the likelihood of exploit for such an application will be reduced.

© 2002-2007 SecurityAppraisers. All rights reserved.
"Linux" is a registered trademark of Linus Torvalds
"Microsoft" is a registered mark of Microsoft Corporation
"Windows 2000" and "Windows XP" are registered trademarks of Microsoft Corporation
"Lotus Notes" is a registered trademark of IBM
Website Acessibility Initiative (WAI)