Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Rolling Reviews: SPI Dynamics WebInspect


The Upshot

Web app scanners in this Rolling Review must not only find conventional weaknesses, like XSS and SQL injection vulnerabilities, but also thoroughly scan Ajax apps, in which part of the app is running locally in the browser.
There's no substitute for multilayered protection. Web app scanners, such as SPI Dynamics' WebInspect, should be just one element in a comprehensive setup that includes educating developers and integrating security reviews into the development lifecycle. Problem is, complex Ajax apps represent a new twist for these products, and we don't recommend purchasing a scanner that cannot handle Web 2.0 development tools, which are exploding in popularity.
While WebInspect suffered from some troubling errors and didn't handle our Ajax application gracefully, it showed a number of positives, including quick vendor updates, easy tweaks and customization, a well-designed interface, and powerful built-in extras. Test before you buy to determine whether WebInspect can handle your apps--or whether its failures in our tests are indicative of more pervasive problems.

SPI Dynamics WebInspect 7.0 Perpetual single-user license, unlimited applications: $25,000, with 20 percent maintenance per year

Scan today's web applications with a tool that cannot parse Ajax, and you may be doing only half the job. RIAs move intelligence to browsers ... and we all know how secure browsers are. Moreover, Ajax-based Rich Internet Applications are generally written in at least two languages. Double the complexity, double the danger. Even so, in a SitePoint poll of 5,000 Web developers released in late 2006, 46 percent said they would use Ajax for Web projects within the next 12 months, compared with just 27 percent citing Flash. Security pros--and tool vendors--better get busy.

For this installment in our Web Application Scanners Rolling Review we brought SPI Dynamics' WebInspect 7.0 into our University of Florida Real-World Labs® and set it to sniff out vulnerabilities in three sample Web apps, all in use for real-world functions (see "Scouring Ajax," for the kickoff to this series).

This article is the first of a series and is part of NWC's Rolling Review of Web Applications Scanners. Click on that link to go to the Rolling Reviews home page to read all the features and reviews now.
  • 1