SPI Dynamics Adds Security Testing For Java Apps

DevInspect 3.0, slated for launch next month, adds support for J2EE Web applications and integration with Eclipse and IBM Rational Application Developer, opening up a huge opportunity in the Java applications space that had previously been closed off to SPI, said Jason Schmitt, group product manager at SPI.

DevInspect also can test applications that use Asynchronous JavaScript and XML (Ajax), a technique for developing interactive Web pages that can introduce vulnerabilities, according to Schmitt. "People are rushing into Ajax, and that often means they're not coding securely," he said.

Security issues with Ajax aren't going away anytime soon, according to Vincent Liu, managing director of Stach and Liu, a Phoenix-based security services firm.

"There isn't much information available about Ajax, and people haven't had a chance to evaluate weaknesses, which is why having a tool to be proactive and stop vulnerabilities before they get introduced into applications is important," Liu said.

DevInspect also includes an ASP.Net framework for .Net developers, and it will include support for Microsoft ASP.Net "Atlas" -- Microsoft's technology for developing rich Web applications -- when it's released later this year, Schmitt said.

SPI earlier this year began using a combination of source-code analysis and black-box testing in DevInspect, touting the hybrid approach as an effective means of rooting out vulnerabilities in applications while cutting down on false positives, Schmitt noted.

The Atlanta-based vendor's Secure Objects remediation technology protects applications against vulnerabilities with a secure development library that provides runtime attack protection.

"If you want to monitor if someone trying to hack your applications, you can tie this into the coding process and log the information to an event management system. This gives the operations management side a way to see if someone is trying to break in," Schmitt said.

"Secure Objects is a real value-add because it remediates issues and allows us to solve two problems with one product. Instead of going back through and spending another remediation cycle, developers can do it instantaneously," Liu said.

DevInspect 3.0 is slated for release in December and starts at a price of $3,000.