Review: SPI Dynamics' WebInspect 6.1

WebInspect 6.1
SPI Dynamics
Price: starts at $6,000 for one Web server license

Increasing attacks against vulnerable public Web applications threaten your company's ability to do business and can undermine its reputation. Given the inadequacy of network-based security tools such as firewalls to address these threats, the case for building bullet-proof applications grows more compelling than ever.

SPI Dynamics' WebInspect greatly facilitates the development and delivery of secure Web applications by identifying and fixing vulnerabilities without leaving the Visual Studio-integrated development environment.

Installation/Ease-of-use: B+
Installation and initial setup was smooth, guided by a wizard through importing the license key and entering all the basic information. You can select assessment type (single application, enterprise or Web service) and method (a combination of automated or manual crawling and auditing). More than 30 policy choices offer a selection of security engines and vulnerability tests ranging from OWASP top 10 to ISO17799.

Users can select modules or let the automatic crawler completely map a site's tree structure and apply all of the selected policies' attacks from among more than 30,000 individual security checks.

However, because WebInspect doesn't run as a service, the only way to run a scan at a scheduled time is to somehow keep the software open at the time of the scan. We used the Windows scheduler.

Advanced Features: B
SPI Dynamics has tried to create a one-stop solution for Web application and services assessment by incorporating multiple advanced assessment techniques within its tools menu. Users have lots of options, including customizing existing policies and creating specific checks for a Web application, and creating startup or login scripts with form inputs.

HTTP and SOAP editors are useful features for QA testers, allowing them to try out various request/response combinations. Another cool feature is the SPI Fuzzer, which generates random or sequential data to test against various areas of an application.

Advanced users will appreciate the inclusion of encoders/decoders that can be used to convert, encrypt and decrypt multi-format text. Regex Tester is another handy little tool to test and apply regular expressions on HTTP editor and other places, such as session filters.

Effectiveness: B
We ran WebInspect against two production MS SQL Server-based Web applications: one serving as the gift card ordering and fulfillment portal for a restaurant chain and the other for an online credit management site. Although there weren't many obvious issues with the applications, WebInspect thoroughly scanned and identified even more subtle vulnerabilities.

We'd dispute some of the severity levels assigned to the findings, but it was nice to be able to see complex modules broken down into individual pages in a hierarchical tree structure and discovered vulnerabilities displayed with complete details in near real-time. The program ran amazingly fast, spitting about 150 requests per second.

The well-designed dashboard gives the user multiple real-time views and alerts, including detailed vulnerability explanations and remediation recommendations.

Reporting: A
We were impressed with the breadth and depth of reporting options. Templates range from compliance and developer to executive. You can also pick and choose from individual reporting options like developer references and QA summary.

The best option by far is the trending and comparison report, which allows you to track the progress of remediation efforts based on previous results.

Verdict
SPI Dynamics has created a powerful tool for novices as well as advanced users. Consultants and companies with in-house application security resources will appreciate the time and effort it saves.

Testing Methodology
WebInspect 6.1 was run against two e-commerce applications based on .NET and MS SQL server in a production environment. These applications were tested multiple times with various automated and manual configurations.

This product review originally appeared in the November 2006 edition of Information Security magazine.