WebInspect 6.1
SPI
Dynamics
Price: starts at $6,000 for one Web server license
Increasing attacks against vulnerable public Web applications
threaten your company's ability to do business and can undermine
its reputation. Given the inadequacy of network-based security
tools such as firewalls to address these threats, the case for
building bullet-proof applications grows more compelling than
ever.
SPI Dynamics' WebInspect greatly facilitates the development and
delivery of secure Web applications by identifying and fixing
vulnerabilities without leaving the Visual Studio-integrated
development environment.
Installation/Ease-of-use: B+
Installation and initial setup was smooth, guided by a wizard
through importing the license key and entering all the basic
information. You can select assessment type (single application,
enterprise or Web service) and method (a combination of automated
or manual crawling and auditing). More than 30 policy choices offer
a selection of security engines and vulnerability tests ranging
from OWASP top 10 to ISO17799.
Users can select modules or let the automatic crawler completely
map a site's tree structure and apply all of the selected policies'
attacks from among more than 30,000 individual security checks.
However, because WebInspect doesn't run as a service, the only
way to run a scan at a scheduled time is to somehow keep the
software open at the time of the scan. We used the Windows
scheduler.
Advanced Features: B
SPI Dynamics has tried to create a one-stop solution for Web
application and services assessment by incorporating multiple
advanced assessment techniques within its tools menu. Users have
lots of options, including customizing existing policies and
creating specific checks for a Web application, and creating
startup or login scripts with form inputs.
HTTP and SOAP editors are useful features for QA testers,
allowing them to try out various request/response combinations.
Another cool feature is the SPI Fuzzer, which generates random or
sequential data to test against various areas of an
application.
Advanced users will appreciate the inclusion of
encoders/decoders that can be used to convert, encrypt and decrypt
multi-format text. Regex Tester is another handy little tool to
test and apply regular expressions on HTTP editor and other places,
such as session filters.
Effectiveness: B
We ran WebInspect against two production MS SQL Server-based Web
applications: one serving as the gift card ordering and fulfillment
portal for a restaurant chain and the other for an online credit
management site. Although there weren't many obvious issues with
the applications, WebInspect thoroughly scanned and identified even
more subtle vulnerabilities.
We'd dispute some of the severity levels assigned to the
findings, but it was nice to be able to see complex modules broken
down into individual pages in a hierarchical tree structure and
discovered vulnerabilities displayed with complete details in near
real-time. The program ran amazingly fast, spitting about 150
requests per second.
The well-designed dashboard gives the user multiple real-time
views and alerts, including detailed vulnerability explanations and
remediation recommendations.
Reporting: A
We were impressed with the breadth and depth of reporting options.
Templates range from compliance and developer to executive. You can
also pick and choose from individual reporting options like
developer references and QA summary.
The best option by far is the trending and comparison report,
which allows you to track the progress of remediation efforts based
on previous results.
Verdict
SPI Dynamics has created a powerful tool for novices as well as
advanced users. Consultants and companies with in-house application
security resources will appreciate the time and effort it
saves.
Testing Methodology
WebInspect 6.1 was run against two e-commerce applications based on
.NET and MS SQL server in a production environment. These
applications were tested multiple times with various automated and
manual configurations.
This product review originally appeared in the November 2006
edition of Information
Security magazine.