Web Application Scanning
WebTrust is a web application scanning and vulnerability management service that enables organizations to assess, track and remediate web application vulnerabilities. WebTrust is an on-demand security-as-a-service delivered via TrustNet's cloud and iTrust security management platform. WebTrust supports organizations seeking to ensure the security of their web applications and meet PCI Requirements 6.5 and 6.5. This service allows user organizations to:
- Perform deep probing of web applications
- Identify critical cross-site scripting, SQL injection, local file inclusions, and many other vulnerabilities
- Detect sensitive content in HTML based on user settings
WebTrust Web Application Scanning
WebTrust is an on-demand security-as-a-service web application security scanning service. WebTrust is used to scan corporate web sites and web based applications for vulnerabilities, providing essential defensive intelligence to IT management before they can be exploited by malicious hackers. The application is managed via the iTrust security management platform using an intuitive graphical user interface that is accessible via a web browser. The application is available on-demand and can be scheduled to run at any time.
Identify Web Application Vulnerabilities
WebTrust analyses and identifies vulnerabilities which may be exploited by hackers and malicious users. Examples of these vulnerabilities include:
- Cross Site Scripting (XSS) - WebTrust uses a variation of different payloads to detect both stored and reflected cross site scripting vulnerabilities whether the vulnerability is in a form, the URL, or a cookie.
- SQL injection - SQL injection vulnerabilities can potentially lead to full operating system and network compromise which can be particularly devastating to a business. WebTrust detects error based SQL injection using both rational and variants of the prevailing attack vectors.
- Local File Inclusion (LFI) - WebTrust detects local file inclusion vulnerabilities within web applications across all operating systems.
- Information Leakage - Web applications and misconfigured servers could unintentionally leak sensitive information which could be used to directly exploit the system or used to further facilitate a separate attack. WebTrust identifies the vulnerabilities before the hackers do.
The identification of web application vulnerabilities is in reality just the beginning of the vulnerability management process. The critical task of remediation is simplified using the integrated WebTrust remediation reports. WebTrust technical reports include a severity rating, brief synopsis, technical vulnerability analysis, description of how the vulnerability can be exploited, step-by-step detailed remediation guidance, and links to external resources for additional technical information.
In addition the TrustNet technical support team is always available to assist you via email, chat, and telephone.
In addition to the vast database of known vulnerabilities WebTrust is constantly updated by TrustNet's security engineers for evolving and emerging threats. In addition to our internal research we draw from a vast pool of resources including the open source community and government agencies around the world.
As with all iTrust application, WebTrust includes a wide range of pre-defined reports and an integrated robust custom report generator. These tools enable reports to include any combination of management, technical, and in-depth vulnerability analysis. Technical reports include detailed analysis of issues and detailed remediation guidance including issue-specific links to Bugtraq, OSVDB (Open Source Vulnerability Database), CVE (Common Vulnerability and Exposures database) and CVSS (Common Vulnerability Scoring System). WebTrust reports are presented in easy to understand graphical formats and generated in HTML, PDF, and XML format. The HTML and XML format allows IT managers to import the data into Excel and other reporting tools.
WebTrust is a subscription based service with pricing based on the number of IP addresses scanned. The service enables unlimited scanning of the authorized IP addresses, whenever required, either on-demand or at scheduled intervals. The unlimited scanning feature is especially useful during remediation testing to confirm that remedies were successfully implemented.
WebTrust Web Application Scanning Features
Dashboard Management: Easy to use single view dashboard with data filtering by date, location, and device. Dashboard features a quick view of alert and connection status for all devices. The trending dashboard includes interactive graphic with alerts by volume, target, and attack sources.
Role Based Permissions: Enterprise-grade role-based security that controls user access rights across all iTrust applications. Create unlimited number of hierarchical roles enabling delegation of responsibilities to reflect your unique organizational structure. Specify specific actions for each role (for example Schedule Scans, Add/Remove False Positives, Location Management) and authorized functional profile (for example Full Vulnerability Assessment, SANS Top 20, PCI Compliance Check).
Reporting: Easy to understand graphical formats in HTML, PDF, and XML formats. Choose from a selection of standardized reports or create your own using the dynamic report generator. Each issue is color coded and ranked based on severity.
Remediation Guidance: Reports include detailed step-by-step remediation guidance and one-click links to external resources for additional patching information and workarounds. These solutions have been tested and validated by TrustNet's experienced security team who are on-standby with unlimited technical support.
Security Event Management: Includes a single dashboard view of all alerts. Alert detail includes color-coded severity ratings, attack sources, attack targets, time, and date stamp. Users can specify actions such as Dismiss and Escalation to another iTrust user or external email address. Alerts can also be dismissed on mass.
Targeting Scanning: Scan your targets individually or by group. Uses our predefined groups or create an unlimited number of your own for example by location, business unit, subnet, department, and risk level.