Network Computingwww.networkcomputing.com

Rolling Reviews: SPI Dynamics WebInspect

Posted by Jordan Wiens on June 8, 2007

Tags: AR,  ATLAS,  Acunetix,  Cenzic,  Microsoft ASP.net,  N-Stalker,  RIA,  Rich Internet Applications,  SPI Dynamics,  Syhunt Technology,  Watchfire,  WebInspect,  WhiteHat Security,  vulnerabilities,  web application scanners,  AJAX,  Appliances,  Consulting,  Corporate Data Security,  Data Center Access,  Data Networking & Management,  Data Protection,  Database Management Services,  E-Business and Customer Data Security,  Enclosures,  Hotspots,  Industry-specific XML versions,  Infrastructure,  Internet Security,  Java,  Linux,  Management,  Network Security,  Networking,  New Vulnerabilities,  Other,  Remote Access Software,  SOAP,  Security Appliances and Hardware,  Security Information Management,  Security and Privacy,  Servers & Storage,  Software,  Software and Web Development,  Storage Management Software,  Storage Security,  Technology,  User Interface,  Vulnerability Assessment Services,  Vulnerability Assessment and Management,  WLAN Security,  Web Services,  Web Services Security,  Web Site Access Control,  Windows,  Wireless,  XML

Channel: Data Protection, Networking & Mgmt, Other, Servers & Storage, Wireless

The Upshot Web app scanners in this Rolling Review must not only find conventional weaknesses, like XSS and SQL injection vulnerabilities, but also thoroughly scan Ajax apps, in which part of the app is running locally in the browser. There's no substitute for multilayered protection. Web app scanners, such as SPI Dynamics' WebInspect, should be just one element in a comprehensive setup that includes educating developers and integrating security reviews into the development lifecycle. Problem is, complex Ajax apps represent a new twist for these products, and we don't recommend purchasing a scanner that cannot handle Web 2.0 development tools, which are exploding in popularity. While WebInspect suffered from some troubling errors and didn't handle our Ajax application gracefully, it showed a number of positives, including quick vendor updates, easy tweaks and customization, a well-designed interface, and powerful built-in extras. Test before you buy to determine whether WebInspect can handle your apps--or whether its failures in our tests are indicative of more pervasive problems. FEATURED PRODUCT: SPI Dynamics WebInspect 7.0 Perpetual single-user license, unlimited applications: $25,000, with 20 percent maintenance per year

Scan today's web applications with a tool that cannot parse Ajax, and you may be doing only half the job. RIAs move intelligence to browsers ... and we all know how secure browsers are. Moreover, Ajax-based Rich Internet Applications are generally written in at least two languages. Double the complexity, double the danger. Even so, in a SitePoint poll of 5,000 Web developers released in late 2006, 46 percent said they would use Ajax for Web projects within the next 12 months, compared with just 27 percent citing Flash. Security pros--and tool vendors--better get busy.

For this installment in our Web Application Scanners Rolling Review we brought SPI Dynamics' WebInspect 7.0 into our University of Florida Real-World Labs® and set it to sniff out vulnerabilities in three sample Web apps, all in use for real-world functions (see "Scouring Ajax," for the kickoff to this series).

This article is the first of a series and is part of NWC's Rolling Review of Web Applications Scanners. Click on that link to go to the Rolling Reviews home page to read all the features and reviews now.

So how did our first entry in this Rolling Review handle the complexity of scanning an application heavily dependent on JavaScript? Unfortunately, not very well. Not only did the automated scanner have trouble finding all the functionality, but even when we used a manual walkthrough to show it how to interact with the app, WebInspect had trouble handling JavaScript links. Problem is, if you can't even find all an app's functionality, you certainly won't find all its potential vulnerabilities.

Break It To Me Gently

Don't get us wrong--this product has some real strengths. Still, when someone says they have good news and bad news, I always take the bad news first. So let's get WebInspect's other downsides out of the way.