Security upstart SPI Dynamics in late June took the wraps off two new products that identify vulnerabilities in Web sites and fix glitches in source code during the software development process.
WebInspect 6.0 is diagnostic software that scans Web sites, identifies vulnerabilities using techniques such as cross-site scripting and code injection, and produces a report outlining existing security holes and how to fix them, according to Caleb Sima, CTO and founder of Atlanta-based SPI Dynamics.
WebInspect's assessment and auditing is powered by a proprietary technology called Intelligent Engines, which significantly increases accuracy by mimicking methods commonly employed by hackers, Sima said. "We emulate how a hacker would look at your Web site, which allows us to be faster and extremely accurate," he said, adding that the software's false positive rate is "close to zero.
SPI Dynamics also introduced DevInspect 2005, a source-code analysis application that integrates with Microsoft Visual Studio 2005.
DevInspect combines source-code analysis with black-box testing—a method that examines the specifications of software without having knowledge of the internal structure—in order to diagnose and identify exploitable flaws early in the development process, Sima said. DevInspect includes a feature that replaces bad code with good code and shows developers which changes are being made, he added.
"We've built in source-code analysis to identify attack surfaces, and then use black box testing to determine what is really exploitable," Sima said.
Terry Kurzynski, managing partner of Remington Associates, a solution provider in Schaumburg, Ill., said there's a definite need for tools that can identify vulnerabilities and reduce the number of false positives in the software auditing process.
"Source-code analysis saves companies a lot of time by finding problems early and [enabling] them to put out more secure applications and code," Kurzynski said. He estimates that about half of his clients have a "significantly high" number of vulnerabilities in their Web applications.
In addition to a direct sales team, SPI has a nascent channel program that brought in about 35 percent of the vendor's 2005 revenue, Sima said. SPI Dynamics plans to increase channel ranks by enlisting companies interested in adding WebInspect and DevInspect to their product portfolios, Sima added.