 |
|
“It took me a while to find WebInspect. The problem with most vulnerability tools is the false positives.”
|
|
| Paul Samadani | |
| • Title: Director of corporate technology services, Pentair, in Golden Valley, Minn. | |
| • Years in networking: 23 | |
We do a lot of development in-house and externally on our intranet and extranet sites. We have a global network of sites that spans to all countries. I want to make sure that these portals are secure.
It took me a while to find WebInspect. The problem with most vulnerability tools is the false positives. I demoed this product, and it found a lot of interesting items, but not a lot of false positives.
Some tools tell you there's a problem but don't tell you how to solve it. If you want to be hated in a development environment, point out to people that they have a problem but you don't know how to fix it. WebInspect points out the code and gives references on how to fix that code. Any developer can take my report and learn how to fix what's wrong. Everyone I've given a WebInspect report to has been impressed, because it was a learning experience for them.
We have two people in IT using WebInspect extensively to test sites across the company. We also tell the in-house developers we use WebInspect so they can test their sites against it. Some departments in the company like to work with [application service providers] for their sites. Our concern is that it's our intellectual property and personal information. We want to know how the ASP will handle that data. Before we sign up with an ASP, we run the WebInspect tool against them. We also do periodic checks using the tool. We can tell whether the ASP is secure or not. I have walked away from companies after seeing the results from WebInspect. I show them the vulnerabilities they have, and if they don't want to fix them, then we won't do business with them.
| Start a public discussion with other Network World users on this article (scroll up to send this article to a colleague). Log In | Register for an account (Why you should) |
Note: Register to have your user name appear; otherwise your comment will show up as "Anonymous."
*Anonymous comments will only appear once they are approved by the moderator.
Copyright 2008 Network World Inc.
Testing, testing
04/16/03
In brief: SPI Dynamics announces vulnerability-assessment software
11/07/05
RSA show to highlight new security approaches
02/23/04
|
Does Verizon's Voyager stack up to the iPhone? |
|
TOP STORIES | MOST DUGG STORIES
|
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
| Security convergence equals network security cost savings |
| IBM ISS X-Force Threat and Risk Report |
| Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with Netcordia's NetMRI |
| Top 5 Network Performance Management Mistakes & How to Avoid Them |
| Guide to Open-Source Identity Management Software |
| Getting to Know You: Managing Identity and Network Security |
| Load Balancers Are Dead: Time to Focus on Application Delivery |
| Trust But Verify: Managing and Auditing Privileged Users |
| Top 10 Threats to SME Data Security (and what to do about them) |
| Addressing Compliance Initiatives with Tripwire and the Center for Internet Security |
Network World on Twitter: Get our tweets and stay plugged in to networking news