SPI Dynamics' newest version of WebInspect isn't just an
improvement over its predecessor - it's a completely re-architected
product. WebInspect 7 is an advanced tool designed to sniff out the
vulnerabilities presented by Web 2.0.
The re-architecture of a product
"Very little code is the same," said Erik Peterson, SPI Dynamics'
vice president of product management. "This is a huge advancement
and a first for the industry." Among the product's highlights are
its Intelligent Engines, which significantly reduces false
positives, multiple simultaneous scans and state maintenance of
complex applications and allows for smoother authentication and
more authentication options.
Peterson spoke excitedly about the product's development, a
massive project that started three years ago with an initiative
called Project Phoenix. "SPI Dynamics saw a real change in how
applications were deployed and used," Peterson said. "We realized
the architecture of our scanner was just not going to keep up with
the rapidly changing pace of the Web today."
Scanning Web 2.0
The Phoenix team was charged with re-architecting the company's
scanners. The scanners on the market were designed for earlier,
simpler applications rendering them inadequate for Web 2.0.
"The crawl and audit process that you see in scanners today had
been with us since beginning," Peterson said. "This kind of legacy
process is difficult to turn on its head and make something
different."
Traditionally, a scanner crawls an application, looking for the
application's resources and mapping them. Then the application is
audited based on the information from the crawl. With WebInspect 7,
the application is crawled and then audited, but during the audit
the tool continues to look for resources. The tool continues to
crawl and audit the application until all is discovered and
audited. SPI Dynamics calls this process Recursive Crawl and
Audit.
With this method, "we now have a product that can behave much
more like a human," Peterson said. The result is a truly exhaustive
scan with far fewer false negatives, he said.
The ability to conduct multiple simultaneous scans is another
helpful feature in WebInspect 7. The tool can be used to scan two
sites at once or it can scan the same site with different users.
Doing so helps detect problems such as privilege escalation and
lessens the scan load, Peterson said. Considering that some users
conduct thousands of assessments per year in a rapidly expanding
Web environment, simultaneous multiple scans can cut a considerable
amount of time, he said.
The feature also provides immediate feedback. A tabbed user
interface lets users see all the scans at once.
The state management engine has been rebuilt for WebInspect 7,
preventing accidental invalidation of results. Authentication is
made much easier, even for more complicated modes of authentication
such as two-factor and CAPTCHA.
Advanced security features
Other notable features of WebInspect 7 include IPv6 support, an
easy-to-use support channel and Hybrid Analysis.
- IPv6
Support for IPv6 (Internet Protocol version 6) is most useful to
SPI Dynamics' military and government customers at present.
However, this feature may become important to all users by late
2007, according to Peterson. - Support channel
The support channel "allows us to get closer to our customers,"
Peterson said. As Web applications get more complex and as the user
base grows, there comes a need to get feedback instantly," added
Peterson. Customers can just click and send queries directly to SPI
Dynamics, and the company can answer those questions and send other
important information instantly to the customer. - Hybrid analysis
Customers may already be familiar with this feature, which combines
source code analysis and black box testing. This patent-pending
combination provides thorough vulnerability analysis and reduces
the number of false positives.
Peterson is fully confident that this product will secure
applications in the face of changing technology. WebInspect routs
out
SQL injection and
cross-site scripting (XSS) vulnerabilities
"in a way that's completely unique to the industry," Peterson
said. Today, "up to a third of an application's business logic
can exist in the client's browser. We saw the need for this new
technology."