SPI Dynamics Takes Aim At Web 2.0 Security
AJAX, RSS, SOAP and other Web 2.0 technologies have created a broader attack surface for Web applications, which has led SPI to improve the accuracy of the vulnerability scanning technology it uses in its products, said Caleb Sima, co-founder and CTO at the Atlanta-based vendor.
WebInspect 7, SPI's first product based on the new technology, is equipped to weed out security vulnerabilities in Web applications and can test Web sites that use two-factor authentication and "captchas," technologies that have been traditional stumbling blocks, according to Sima.
"Web applications have grown so complex that automated vulnerability scanners only get to 25 percent of the Web sites, which means you are missing flaws you should be finding in the discovery phase," Sima said.
Vincent Liu, managing director of Stach and Liu, a Phoenix-based security services firm, said WebInspect 7 reduces the burden of doing assessments. "The lack of a tool out there for Web 2.0 assessments means we have to review every single line of code that's on the client. But WebInspect 7 takes care of a lot of that manual code review," he said.
Another key feature is a new method for crawling Web applications that combines the crawl and audit phase into a single process and saves time by reporting results to the tester on an ongoing basis during the scan, Sima said.
Overall scan times been reduced by 50 percent, and users can now launch multiple concurrent scans, Sima added.
WebInspect 7 single-server perpetual licenses start at $6,000, and perpetual user licenses begin at $25,000. Enterprise pricing and consultant licenses are also available.