Penetration testing vendor Core Security Technologies announced Tuesday that it will start extending its flaw-finding services to Web applications that are quickly becoming the number-one attack vector
The Boston-based company said it is rolling Web application pen testing capabilities into CORE IMPACT, its signature product for enterprise security assurance testing. Specifically, the new capabilities will be in CORE IMPACT 7.5. The vendor said customers will be able to use the product to identify weaknesses in Web applications, Web servers, Web browsers and associated databases. The tools generate exploits that can prove the existence of security weaknesses; demonstrate the potential consequences of a successful attack; and help address security issues and prevent data incidents.
Core CEO Paul Paget said in an interview Monday that the new Web application testing capabilities have been in development for some time, and that the company offered small groups of customers a preview of the new capabilities during Black Hat USA 2007 in Las Vegas last August.
"They see this as the next logical step for Core," he said. "They see Web application threats as a big problem for them as attackers turn their attention in that direction."
Security researchers have warned for the past two years that attackers are shifting their attention to Web-based applications users are increasingly relying on for everything from commerce to banking.
Core said IMPACT can replicate an attack that initially compromises a Web server or end-user workstation and then propagates to backend network systems. At least one customer is happy with what he has seen so far.
Nikk Gilbert, security director of Alstom Transport, said in a press release, "By adding Web application testing to its existing capabilities IMPACT saves us from having to use disparate, stand-alone tools for each part of our IT infrastructure. It's good to know that we can now rely on an established, trusted vendor to help us face our security challenges in this area as well."