Core Security to offer Web application pen testing

By Bill Brenner, Senior News Writer 16 Oct 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Penetration testing vendor Core Security Technologies announced Tuesday that it will start extending its flaw-finding services to Web applications that are quickly becoming the number-one attack vector of choice in the digital underground.

They see Web application threats as a big problem for them as attackers turn their attention in that direction. Paul Paget, CEO, Core Security Technologies

The Boston-based company said it is rolling Web application pen testing capabilities into CORE IMPACT, its signature product for enterprise security assurance testing. Specifically, the new capabilities will be in CORE IMPACT 7.5. The vendor said customers will be able to use the product to identify weaknesses in Web applications, Web servers, Web browsers and associated databases. The tools generate exploits that can prove the existence of security weaknesses; demonstrate the potential consequences of a successful attack; and help address security issues and prevent data incidents.

Core CEO Paul Paget said in an interview Monday that the new Web application testing capabilities have been in development for some time, and that the company offered small groups of customers a preview of the new capabilities during Black Hat USA 2007 in Las Vegas last August.

"They see this as the next logical step for Core," he said. "They see Web application threats as a big problem for them as attackers turn their attention in that direction."

Pen testing: Pen testing your VPN: Your VPN is a vital gateway into your network for your company's road warriors, telecommuters and other remote users. Best practices for pen testing Web applications: Performing a Web application penetration test can gauge how well your Web application can withstand an attack. Immunity releases new exploit-writing tool: Pen testing company Immunity says its Debugger tool offers researchers a new way to write exploits, analyze malware and reverse engineer binary files.

Security researchers have warned for the past two years that attackers are shifting their attention to Web-based applications users are increasingly relying on for everything from commerce to banking.

One example of the threat is the proliferation of insecure sites built around Asynchronous JavaScript and XML (Ajax). SPI Dynamics researcher Billy Hoffman has repeatedly warned that too many companies are in a rush to build sites around these features with no thought about the potential security ramifications.

Core said IMPACT can replicate an attack that initially compromises a Web server or end-user workstation and then propagates to backend network systems. At least one customer is happy with what he has seen so far.

Nikk Gilbert, security director of Alstom Transport, said in a press release, "By adding Web application testing to its existing capabilities IMPACT saves us from having to use disparate, stand-alone tools for each part of our IT infrastructure. It's good to know that we can now rely on an established, trusted vendor to help us face our security challenges in this area as well."

Sound Off! -   Be the first to post a message to Sound Off!

Tags: Penetration Testing and Ethical Hacking,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us