This article can also be found in the Premium Editorial Download "Information Security magazine: Symantec 2.0: Evaluating their recent acquisitions."
Download it now to read this article plus other related content.
REVIEWED BY PHORAM MEHTA
Price: Starts at $6,000 for one Web server license
Increasing attacks against vulnerable public Web apps threaten your company's ability to do business and can undermine its reputation. Given the inadequacy of network-based security tools such as firewalls to address these threats, the case for building bullet-proof apps grows more compelling. SPI Dynamics' WebInspect greatly facilitates the development and delivery of secure Web applications by identifying and fixing vulnerabilities without leaving the Visual Studio-integrated development environment.
Installation and setup was smooth, guided by a wizard through importing the license key and entering all the basic information. You can select assessment type (single application, enterprise or Web service) and method (a combination of automated or manual crawling and auditing). More than 30 policy choices offer a selection of security engines and vulnerability tests ranging from OWASP Top 10 to ISO 17799. Users can select modules, or let the automatic crawler map a site's tree structure, and apply all of the selected policies' attacks from among more than 30,000 security checks.
However, because WebInspect doesn't run as a service, the only way to run a scan at a scheduled time is to somehow keep the software open at the time of the scan. We used the Windows scheduler.
Advanced Features B
SPI Dynamics has tried to create a one-stop solution for Web application and services assessment by adding advanced assessment techniques within its tools menu. Users have lots of options, including customizing existing policies and creating specific checks for a Web app.
HTTP and SOAP editors are useful features for QA testers, allowing them to try out various request- response combinations. Another cool feature is the SPI Fuzzer, which generates random or sequential data to test against various areas of an application.
Advanced users will appreciate the inclusion of encoders/decoders that can be used to convert, encrypt and decrypt multi-format text. Regex Tester is another handy tool to test and apply regular expressions.
We ran WebInspect against two production MS SQL Server-based Web applications: one serving as a gift card ordering and fulfillment portal for a restaurant chain, and the other for an online credit management site. Although there weren't many obvious issues with the applications, WebInspect thoroughly scanned and identified even some of more subtle vulnerabilities.
We'd dispute some of the severity levels assigned to findings, but appreciated how WebInspect allowed us to see complex modules broken down into individual pages in a hierarchical tree structure and vulnerabilities displayed in near real-time. The program ran fast, spitting about 150 requests per second.
The well-designed dashboard gives the user multiple real-time views and alerts, including detailed vulnerability explanations and remediation recommendations.
We were impressed with the breadth and depth of reporting options; templates range from developer to executive. You can also choose from individual reporting options like developer references and QA summary.
The best option by far is the trending and comparison report, which allows you to track the progress of remediation efforts based on previous results.
SPI Dynamics has created a powerful tool for novices and advanced users. Consultants and companies with in-house application security resources will appreciate the time and effort it saves.
Testing methodology: WebInspect 6.1 was run against two e-commerce applications based on .NET and MS SQL Server in a production environment. These applications were tested multiple times with various automated and manual configurations.
This was first published in November 2006