As CEO, I’m constantly emphasizing the importance of customer support and trying to attend several support calls each week to stay on top of our support quality and what customers are asking.
Surprisingly, application scan times are one of the most common issues raised by customers. Occasionally, scans will take days or even weeks.
At this point, I would say that in almost all cases, there is an issue that lies within the application’s environment as opposed to a something within the software.
First some background on web application security scanners. Web scanners first crawl websites, enumerate attack points and then create custom attacks based on the site. So, for example, if I have a small site with 200 attackable inputs and each one can be attacked 200 ways, with each attack requiring 2 requests, I have 200*200*2 or 80,000 requests to assess that site.
Now NTOSpider can be configured to use up to 64 simultaneous requests so depending on the response time from the server, you can run though requests very quickly. Assuming, for example, 10 requests a second, that’s 600 per minute, 36,000 per hour and you can get through that site in 2.22 hours.
The problem is that quite often the target site is not able to handle 10 or even 1 request per second. Some reasons can include:
- Still in development – The site is in development and has limited processing power and/or memory.
- Suboptimal optimization – The site is not built to handle a high level of traffic and this has not yet shown up in QA. We were on the phone with a customer last month who allowed us to look at the server logs and we saw that one process involved in one of our requests was chewing up 100% of the CPU for 5 seconds. Another application was re-adding every item to the database each time the shopping cart was updated (as opposed to just the changes) and our 5,000 item cart was severely stressing the database.
- Middleware Not to bash any particular vendor (Coldfusion) but some middleware is quite slow.
So let’s look at our 80,000 request example from above and assume that our site can only handle 1 request per second. Our 2.2 hour scan time balloons to 22 hours. For our 5 second response in bullet 2, we get to 4.6 days for our little site. The good news is that NTOSpider can be configured to slow itself down so as to not DOS the site (this is our Auto-Throttle feature). The bad news is that it will take some time.
So what’s a poor tester to do?
- Beefier hardware If you are budgeting for a web scanner, consider spending a couple of extra thousand dollars on some decent hardware to test your apps. (Note – a modern laptop with optimal ram for the OS you are running – 32-bit OS = 4 Gigs of ram / 64-Bit OS = 8 Gigs of ram – will solve 90% of all performance issues.)
- Scheduling In some cases, you can schedule scans so that even if they are longer, you can still get things done in time.
- Segmenting In some cases, if you know that only a portion of the site has changed, you can target the scan to test only that subset and dramatically reduce scan time.
- Code Augmentation Not to put too fine a point on it, but if a single request is taking 5 seconds to process, a hacker can DOS your site by hand. You might want the developers to look at adjusting the code.
Leave a Reply