Why Dynamic Scanning?
Dynamic Scanning is today a necessity of all web-based applications, this will help to give an idea of what security level this meet.
If a web-based application have a vulnerability, it may at worst end up with a hacker that gains administrative access to the server where the web-based application or database server is running.
What is Dynamic Scanning?
Dynamic scanning is scanning a web-based application in the production environment it lives in, that means dynamic scanning not only scans for errors in the web application but also scans for errors in web server, firewall and everything that surrounds that web-based application.
Dynamic Scanning should be done every time a new release of the Web-based application or after each update of the web server, the server (operating system), the database server, firewall, IDS / IPS, as the new release may contain new bugs, or misconfiguration.
How does Dynamic Scanning work?
Dynamic Scanning is done by a program that communicates with the Web-based application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses.
Dynamic scanning can be done in several ways, but most Dynamic Scanners can run as an automatic process that looks for vulnerabilities by sending attacks, and this can be up to several thousand attacks on for each web-based application.
What if Dynamic Scanning?
It's never too late to perform a dynamic scanning of a Web-based solution, it is always better to know how it looks than to face a large data loss because you did not know that there were vulnerabilities.
Dynamic scanning is usually not something that takes several hours (there are many factors that are important here) and once this is complete the results of the scan will give a clear picture of how the security status of the web application is.
Arama Consult recommends all its customers to Dynamic scan their web-based solutions on a regular basis, since it is impossible to predict when a new vulnerability find its way into the web-based solution whether this is introduced via an update in the production environment, or if there is a new way to attack / exploit the environment.
Here is a list of different Dynamic Scanning solutions: