SPI Dynamics Trains VARs To Assess Web APP Vulnerabilities

The Atlanta-based maker of WebInspect Web application vulnerability assessment software also announced interoperability with the NC-1000 Web security gateway appliance from NetContinuum, a supplier of Web security gateway appliances.

The interoperability is based on the Application Vulnerability Description Language (AVDL), an emerging XML standard that defines and categorizes application vulnerabilities in a standard way so they can be understood by a variety of security products.

SPI Dynamics' channel program is designed for security-focused solution providers as well as those who want to expand into security, said Brian Cohen, president and CEO of the company. "There are a lot of folks in the channel who want to provide security services and security products. Many are qualified, and many are not. We put together a program that will [help them become] qualified," he said.

The program provides one day of free sales training and ongoing Webinars, plus two days of technical training for WebInspect certification, which costs about $2,000.

Other benefits include a dedicated sales representative and engineer, lead generation, access to a trial version of WebInspect, access to an online resource center, co-marketing and co-sales support, discounts and a listing on the vendor's Web site.

Partners resell WebInspect but also use it as a tool around which they can build service offerings, Cohen said. About half of SPI Dynamics' business currently goes through the channel, and the company hopes to increase that to two-thirds or three-quarters by the end of the year. The vendor counts some 35 partners in the United States.

Steve Keefe, senior vice president of Patriot Technologies, said SPI Dynamics' partner program will create a lot of opportunities for the channel. The Frederick, Md.-based security solution provider uses WebInspect in its assessment services.

"They are definitely on the right track," Keefe said.

Some of the key components that differentiate the SPI Dynamics program from other channel programs are the dedicated sale representative and engineer, and the training, Keefe said.

WebInspect can be used to test the integrity of code before it goes live on the Web, so businesses won't find out about vulnerabilities after a Web site is defaced, Keefe said.

SPI Dynamics' interoperability with NetContinuum is the first working prototype of the AVDL standard, which the vendors are developing with other app security companies through the Organization for the Advancement of Structured Information Standards (OASIS), Cohen said.

"AVDL will be an open standard that will allow any vendor in the finding, blocking or fixing business related to application vulnerabilities to share information," he said.

Now, WebInspect can output results from its application vulnerability assessment in an XML format that NetContinuum's NC-1000 can use to create policies to detect and block attacks.

The integration helps administrators reduce risks in Web environments and gives them breathing room to determine how to secure an application, said Wes Wasson, chief strategy officer at NetContinuum, Santa Clara, Calif.

Paul Klahn, director of assessment services at FishNet Security, a solution provider in Kansas City, Mo., said the interoperability between SPI Dynamics and NetContinuum builds on the strengths of both companies.

FishNet uses WebInspect in its assessment work and SPI Dynamics has proven to be a responsive partner, Klahn said. "Their team is so flexible. We just love working with them."