SPI Dynamics' newest version of WebInspect isn't just an improvement over its predecessor - it's a completely re-architected product. WebInspect 7 is an advanced tool designed to sniff out the vulnerabilities presented by Web 2.0.
"Very little code is the same," said Erik Peterson, SPI Dynamics' vice president of product management. "This is a huge advancement and a first for the industry." Among the product's highlights are its Intelligent Engines, which significantly reduces false positives, multiple simultaneous scans and state maintenance of complex applications and allows for smoother authentication and more authentication options.
Peterson spoke excitedly about the product's development, a massive project that started three years ago with an initiative called Project Phoenix. "SPI Dynamics saw a real change in how applications were deployed and used," Peterson said. "We realized the architecture of our scanner was just not going to keep up with the rapidly changing pace of the Web today."Scanning Web 2.0
The Phoenix team was charged with re-architecting the company's scanners. The scanners on the market were designed for earlier, simpler applications rendering them inadequate for Web 2.0.
"The crawl and audit process that you see in scanners today had been with us since beginning," Peterson said. "This kind of legacy process is difficult to turn on its head and make something different."
Traditionally, a scanner crawls an application, looking for the application's resources and mapping them. Then the application is audited based on the information from the crawl. With WebInspect 7, the application is crawled and then audited, but during the audit the tool continues to look for resources. The tool continues to crawl and audit the application until all is discovered and audited. SPI Dynamics calls this process Recursive Crawl and Audit.
With this method, "we now have a product that can behave much more like a human," Peterson said. The result is a truly exhaustive scan with far fewer false negatives, he said.
The ability to conduct multiple simultaneous scans is another helpful feature in WebInspect 7. The tool can be used to scan two sites at once or it can scan the same site with different users. Doing so helps detect problems such as privilege escalation and lessens the scan load, Peterson said. Considering that some users conduct thousands of assessments per year in a rapidly expanding Web environment, simultaneous multiple scans can cut a considerable amount of time, he said.
The feature also provides immediate feedback. A tabbed user interface lets users see all the scans at once.
The state management engine has been rebuilt for WebInspect 7, preventing accidental invalidation of results. Authentication is made much easier, even for more complicated modes of authentication such as two-factor and CAPTCHA.Advanced security features
Other notable features of WebInspect 7 include IPv6 support, an easy-to-use support channel and Hybrid Analysis.
Support for IPv6 (Internet Protocol version 6) is most useful to SPI Dynamics' military and government customers at present. However, this feature may become important to all users by late 2007, according to Peterson.
- Support channel
The support channel "allows us to get closer to our customers," Peterson said. As Web applications get more complex and as the user base grows, there comes a need to get feedback instantly," added Peterson. Customers can just click and send queries directly to SPI Dynamics, and the company can answer those questions and send other important information instantly to the customer.
- Hybrid analysis
Customers may already be familiar with this feature, which combines source code analysis and black box testing. This patent-pending combination provides thorough vulnerability analysis and reduces the number of false positives.
Peterson is fully confident that this product will secure applications in the face of changing technology. WebInspect routs out SQL injection and cross-site scripting (XSS) vulnerabilities "in a way that's completely unique to the industry," Peterson said. Today, "up to a third of an application's business logic can exist in the client's browser. We saw the need for this new technology."