Web Application Scanners Ferret Out Security Flaws

Startups such as SPI Dynamics offer Web application scanners that allow security integrators and software developers to unearth holes in Web applications that attackers could exploit to obtain sensitive corporate data.

"The Web application vulnerability area is the new hackers' playground," said Paul Klahn, director of assessment services at FishNet Security, a Kansas City, Mo., solution provider and SPI Dynamics partner.

Atlanta-based SPI Dynamics earlier this month released WebInspect 3.0, a new version of its Web application scanner software designed to meet the unique needs of developers, quality assurance staffers, security auditors and security professionals.

By using WebInspect 3.0 during the development process, developers and others can learn how to build secure software, said Brian Cohen, SPI Dynamics' president and CEO. The tool also can automatically assess the security of Web services.

Solution providers can offer services around the product, including remediation for vulnerabilities, Cohen said.

WebInspect 3.0 allows customers to perform security assessments on any Web-enabled application, with specific assessment capabilities for Microsoft .Net, IBM WebSphere, Lotus Domino, Oracle Application Servers and Macromedia ColdFusion.

The product is priced at $4,995 per server, plus a yearly maintenance fee. Volume discounts are available, as is annual per-seat pricing for security consultants and corporate auditors.

Meanwhile, Sanctum, Santa Clara, Calif., unveiled general availability of AppScan Developer Edition 1.5, an automated security testing tool that integrates into Microsoft Visual Studio .Net.

The product tests applications built with any of the languages supported by Visual Studio .Net and provides in-line fix recommendations after identifying defects. AppScan DE costs $1,495, but the company is offering a promotional price of $995 through Aug. 1.

Last month, New York-based KaVaDo released a new version of its ScanDo Web application scanner with enhanced performance, broader support for Web services and data storing and sharing capabilities.

The company also unveiled its global partner program for solution providers, vendors and service providers. KaVaDo's Protected Alliance is designed to promote the exchange of data and resources to develop advanced Web application security solutions.

At FishNet, Web application assessments now account for 60 percent to 70 percent of its assessment business as more applications become Web-enabled, Klahn said. Those applications can be complex, leaving a lot of room for security holes, he said.

SPI Dynamics' Web-Inspect 3.0 saves FishNet engineers a lot of time when performing security assessments, said Gene Abramov, a FishNet engineer. Plus, the tool's ability to assess Web services is very valuable, he said.

"When we did Web services assessments [without the tool], we were stuck with a two- to three-year approach of manually testing each functionality," he said.

Abramov said he's pleased with the way the vendor has included input from FishNet engineers in its product, and Klahn said SPI Dynamics has proven to be a highly responsive and flexible partner.

Dick Mackey, principal at SystemExperts, Sudbury, Mass., said Web applications vulnerability scanner tools are useful but typically point out the more obvious and "mechanical" vulnerabilities. "We expect these tools to mature over time, and we see them as very useful but not the only approach you should have in determining the strength of your security," he said.