I work as an cloud security professional (CCSP) and my life is always partnered with dynamic and automated vulnerability scanner tools to get my job done in addition to finding manual and logical vulnerabilities. Let’s face it, there are things that only a tester can see which an automated scanner misses and that there are findings that a tester misses but are found by a vulnerability scanner. Now those automated findings are then analyzed by the tester and then he or she checks for false positives and true positives.
But wait! Before anything else, this article is not all about vulnerability scanners and how to find security bugs efficiently. I just want to point out the usage of vulnerability scanners for security professionals.
I want to share a new product called CloudPro-X by Provensec. CloudPro-X is a cloud security scanner, which offers automated vulnerability auditing, uptime monitoring of your website, and malware or virus infection scanning.
CloudPro-X is a product that offers Security-as-a-service (SaaS) in the cloud and is different from platform-based web application vulnerability scanners like Acunetix or Webinspect.
The user interface of their cloud security scanner is simple and easy to use wherein you can just launch the three modules with just a click of a button:
CloudPro – the security scanning service that reports vulnerabilities
Uptime Mon – the uptime monitoring service which checks if your site is down or up
Malware Mon – scans your website for virus and malware infections
To start scanning your assets or servers for the main security scanning service (first module) of the product, you need to add an asset first by clicking on My Account Settings. Navigate to the Asset Management tab, and from there you can easily add the website or the IP address you want to audit. You can also specify what type of asset the target resembles: HTTPS enabled server, HTTP enabled server or Infrastructure device IP.
In my case, I added zero.webappsecurity.com, which looks like an online banking website but is actually a test bed for testing Hewlett-Packard’s WebInspect for detecting and reporting web application vulnerabilities. WebInspect is also another web vulnerability scanner, which I am comfortable with, but let’s focus on CloudPro-X for this review.
Since http://zero.webappsecurity.com is Zero Bank’s exact location and not on its HTTPS server, which only shows a default page for a newly installed Apache server then, I should just define my Asset type to HTTP enabled server.
Ethical Hacking Training – Resources (InfoSec)
After clicking the Submit button, it should say “You have successfully added asset(s)!” The next thing you should do is to launch the CloudPro module, click the Scans tab, add the asset under the Add New Scan function, choose Run Live Scan >> for the asset and then wait for some results. Yes, that’s it! Just wait for 24 hours for a scan to be completed, and get an exclusive security assessment report in your mailbox. Simple right?
One of the things that I like about their service is the free alert for every vulnerability that the scanner has found.
By default, the application emails you whenever the scanner finds High and Medium vulnerabilities but if you wish to receive alerts whenever a new vulnerability is found, you can just check the New Vulnerability option. Of course, I would prefer High and Medium vulnerabilities for the alerts in order to mitigate spamming.
Here is a sample email I received:
After the scan is completed, the application emails you the vulnerability assessment report in PDF by default. The report includes executive summary, summary of the security findings, CVE ID’s, Bugtraq ID’s, etc.
The report seems very detailed but what it lacks are the requests and responses for each web vulnerabilities that it has found. It would be nice to have a sample request and response for the web vulnerabilities since it could be the bases for most proof of concepts like injecting a XSS payload in a custom cookie. I hope they could add it in the near future.
Since Cloudpro-X doesn’t have a login macro unlike your typical vulnerability scanners (e.g. IBM Appscan, HP Webinspect, Netsparker), which is useful for authenticated scans, you need to request a manual audit in order to provide the login credentials or dummy accounts, network authentication (e.g. Basic, NTLM), and the valid request and response for a web service scan.
Now, for running the Malware Mon and Uptime Mon it’s just like setting up another security scan so you need to define the asset too.
Overall, CloudPro-X is easy to use and I really think it is a good security product. In terms of vulnerability findings, it is not that robust yet but there is always a room for improvement. It has detailed summary of vulnerability findings for the report but as I said, it lacks request and response for web app vulnerabilities.
Provensec’s product does not focus only on web app vulnerabilities, it also does infrastructure scanning so it definitely does server security scanning too because it does port scanning then identifies some services that you should be aware of for specific vulnerabilities.
As a side note, CloudPro-X should not be compared to platform-based web application vulnerability scanners, which are really built for web app security testing since it doesn’t only do web app vulnerability assessment but also does uptime monitoring and malware infection scanning. It is a cloud based security suite and I give this product a score of 7.5 out of 10.