What do chess, the world's most dominant computer chess machine, and Garry Kasparov have to do with Web application security?
For many years, security professionals have thought there would come a day when technology alone could identify all Web application vulnerabilities and prevent all attacks, eliminating the need for the Kasparovs of the world. What we've come to understand is Web application security is a fundamentally different game than chess, or even network security. It's highly unlikely that machines will ever replace man completely in the process of assessing Web site security. What's important to understand is why.
Chess is a straightforward game. The board presents a finite number of legal moves and a limited amount of end-game positions. With chess it's mathematically possible to calculate every move that may result from a given position and further "n" moves into the future. Since the game itself is defined and finite, although granted extremely large, the path to victory can be completely automated and followed precisely. Eventually computers will win at chess every time rather than settling for a tie.
Web sites are at the opposite end of the spectrum. They maintain an open door policy with regard to user interaction, rarely following Internet standards, and never operate the same way twice. Simple tasks such as shopping online or Web banking are drastically different functionally and architecturally. Web application vulnerability scanners operate in a complicated environment where the end result of a process is anything but obvious.
Web application vulnerability scanners depend on the relative predictability of Web sites to identify security issues. Using a loose set of rules, scanners function by simulating Web attacks and analyzing the responses for telltale signs of weakness. From experience, we know how a Web site will normally react when there is a security issue present. We know that if sending a Web site certain meta-characters produces a database ODBC error message, a SQL Injection issue has likely been detected. At WhiteHat Security we call these "technical vulnerabilities" and scanners have become fairly proficient at identifying them. But as Web sites become increasingly sophisticated, yesterday's telltale signs are today's false positives. As such, we're not guaranteed that a specific result necessarily indicates that a security issue is present. This has made the automated process of finding simple vulnerabilities hard -- and finding difficult ones impossible.
Consider the following example. If we visit a Web site and are presented with the following URL: http://example/order.asp?item=50&price=300.00