Testing, testing

If there’s one thing you should be suspicious of it is whether your Web applications have holes in them. The problem is that even the smallest technical oversights can be revealed as gaping security breaches that can bring down your entire application infrastructure. So it follows that testing is not an option.

A tool which promises to make testing as thorough as possible is WebInspect from SPI Dynamics. WebInspect performs numerous assessments that include:

* Vulnerability checks for known buffer-overflow exploits and SQL injections.

* Form manipulation and checking for hidden parameters being passed between pages.

* Testing of client-side code.

For more information, see SPI’s white paper on Web applications vulnerabilities titled “Security at the Next Level: Are Your Applications Vulnerable?” (link below).

WebInspect has a humongous list of features – here are the key ones:

* WebDiscovery – A Web application inventory mapping tool, which scans a network range for Web-enabled devices and creates an enterprise inventory of all web applications.

* Enterprise Scan Scheduler – manages multiple Web application scans.

* Policy Manager – provides detailed policies that can be customized by the end-user.

* Centralized File Management – a repository for a distributed group of WebInspect end-users to share testing policies.

* Support of pre-production and stand-alone environments – enables testing of applications before they are launched and continual “certification” of applications in production.

* Recursive Crawl & Audit (RCA Technology) – allows WebInspect to “walk” a complete site during each assessment adding any new links that have been included since the last crawl.

* SmartUpdate – enables end-users to update the attack agents, vulnerability database, and product version.

* Integrated Threat Agents – measure the risk of misconfiguration or insecure deployment of third party commercial applications including WebSphere, WebLogic, Lotus Notes, ColdFusion, Forte, Oracle Application Server and Microsoft .Net.

* Enhanced Reporting – multiple formats for different audiences, including executive reports, technical reports and trend analysis.

* Export Wizard – an XML export tool that enables users to export all information found during the scan in a standardized XML format.

* Brute Force Tool – authentication integrity test tool to ‘Brute Force’ usernames and passwords in order to determine authentication integrity.

* WebForm Editor – enables the end-user to submit values to Web application form fields.

* SPI Proxy – records a series of requests and responses for further analysis.

*SOAP Editor – allows editing of raw Simple Object Application Protocol requests and responses and submits them to the Web service.

* Multiple Authentication Scheme Support – to select and configure type of Web server or Web-based authentication, including NTLM, Form Based, or Basic.

* Interactive HTTP Transaction Recording – allows manual crawl of any site and definition of the areas for an audit.

* Integrated Custom Agent – enables creation of Custom Agents that are capable of conducting any type of security check.

* Visual Web Assessment Console (VWAC) – provides an interactive tree view and dynamic status indicators, allowing monitoring of progress throughout the assessment cycle in real time.

* Site mapping – produces a snapshot of the application tree and provides the end-user with a real-time view of assessment progress.

* Real-time HTTP manipulation filters – filters specified as regular expressions to modify the HTTP stream that WebInspect receives.

* Real-time Alerts Grid – a display of security vulnerabilities as they are identified.

This is one of the most powerful and complex Web application-testing products available. WebInspect runs on Windows 2000 Service Pack 3 or Windows XP and pricing starts at $4,995 per seat.