Rolling Reviews: SPI Dynamics WebInspect

Posted by
June 08, 2007

Tags: AR, ATLAS, Acunetix, Cenzic, Microsoft ASP.net, N-Stalker, RIA, Rich Internet Applications, SPI Dynamics, Syhunt Technology, Watchfire, WebInspect, WhiteHat Security, vulnerabilities, web application scanners, AJAX, Appliances, Consulting, Corporate Data Security, Data Center Access, Data Networking & Management, Data Protection, Database Management Services, E-Business and Customer Data Security, Enclosures, Hotspots, Industry-specific XML versions, Infrastructure, Internet Security, Java, Linux, Management, Network Security, Networking, New Vulnerabilities, Other, Remote Access Software, SOAP, Security Appliances and Hardware, Security Information Management, Security and Privacy, Servers & Storage, Software, Software and Web Development, Storage Management Software, Storage Security, Technology, User Interface, Vulnerability Assessment Services, Vulnerability Assessment and Management, WLAN Security, Web Services, Web Services Security, Web Site Access Control, Windows, Wireless, XML

Channel: Other, Networking & Mgmt, Servers & Storage, Data Protection, Wireless

The Upshot

Web app scanners in this Rolling Review must not only find conventional weaknesses, like XSS and SQL injection vulnerabilities, but also thoroughly scan Ajax apps, in which part of the app is running locally in the browser.
Context

There's no substitute for multilayered protection. Web app scanners, such as SPI Dynamics' WebInspect, should be just one element in a comprehensive setup that includes educating developers and integrating security reviews into the development lifecycle. Problem is, complex Ajax apps represent a new twist for these products, and we don't recommend purchasing a scanner that cannot handle Web 2.0 development tools, which are exploding in popularity.
Credibility

While WebInspect suffered from some troubling errors and didn't handle our Ajax application gracefully, it showed a number of positives, including quick vendor updates, easy tweaks and customization, a well-designed interface, and powerful built-in extras. Test before you buy to determine whether WebInspect can handle your apps--or whether its failures in our tests are indicative of more pervasive problems.

FEATURED PRODUCT:
SPI Dynamics WebInspect 7.0 Perpetual single-user license, unlimited applications: $25,000, with 20 percent maintenance per year

Scan today's web applications with a tool that cannot parse Ajax, and you may be doing only half the job. RIAs move intelligence to browsers ... and we all know how secure browsers are. Moreover, Ajax-based Rich Internet Applications are generally written in at least two languages. Double the complexity, double the danger. Even so, in a SitePoint poll of 5,000 Web developers released in late 2006, 46 percent said they would use Ajax for Web projects within the next 12 months, compared with just 27 percent citing Flash. Security pros--and tool vendors--better get busy.

For this installment in our Web Application Scanners Rolling Review we brought SPI Dynamics' WebInspect 7.0 into our University of Florida Real-World Labs® and set it to sniff out vulnerabilities in three sample Web apps, all in use for real-world functions (see "Scouring Ajax," for the kickoff to this series).

This article is the first of a series and is part of NWC's Rolling Review of Web Applications Scanners. Click on that link to go to the Rolling Reviews home page to read all the features and reviews now.

Page: 1 | 2 |3 |4 |5 |Next Page »

More wireless Insights


	To upload an avatar photo, first complete your Disqus profile. \| View the list of supported HTML tags you can use to style comments. \| Please read our commenting policy.

Network Computingwww.networkcomputing.com

Home

News and Analysis

Research

Tech Centers

Channels

Bloggers

Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Subscribe to Newsletter

Vendor NewsFeed