RealTime IT News

SPI Lets 'Phoenix' Fly For Web Security

Mention Web application security to an IT administrator at most companies and you may elicit a grimace. The growing tangle of dynamic Web 2.0 applications make it almost impossible for traditional bug scanners to catch most Web vulnerabilities.

Recognizing this architectural challenge, SPI Dynamics created Phoenix, a new Web application security architecture to analyze Web 2.0 applications and find previously undetectable Web flaws.

Erik Peterson, vice president of product management for SPI, said modern Web applications built from technologies such as AJAX, RSS and Flash combine client and server side processing and are therefore more complex.

SPI argues that current application scanners, including its current WebInspect portfolio, are built on dated architectures developed in 2000. Not surprisingly, they haven't kept up with the evolution of Web applications, so they don't find newer security vulnerabilities.

This leads to high false negative rates, meaning the flaws aren't being detected by the software and the IT auditor has no idea something is wrong until it's too late.

"AJAX exploded and changed how Web applications are built and deployed," Peterson said, explaining the need for Phoenix. Hackers evolve from hobbyists to professionals. It's a billion-dollar industry for these folks to be taking advantage of opportunities out there.

"The complete re-architecture of our product was necessary to keep at the forefront of where the Web was going. We feel like it's going to pay off for us in spades."

Phoenix will serve as the foundation of SPI's security software going forward, but the architecture has been employed first in WebInspect 7, the company's Web scanner.

WebInspect 7 assesses a Web service by discovering all XML input parameters and performing parameter manipulation on each XML field looking for vulnerabilities within the service.

The software exposes hidden application logic, revealing security flaws that could not be found through automated security testing.

Peterson said WebInspect 7 is distinct from other Web scanners because it includes simultaneous crawl and audit (SCA) and concurrent application scanning.

These tools make the scanner faster and more accurate and performing these tasks at the same time may cut flaw scan times in half or more. WebInspect 7 can also perform multiple concurrent scans to cover more ground on the Web and in the computer network.

Moreover, the software boasts new automated checkpoints to eliminate authentication issues for applications using two-factor authentication or CAPTCHA (completely automated public Turing test to tell computers and humans apart). WebInspect 7 can authenticate with secure Web applications and determine when re-authentication is required.

WebInspect 7, which SPI will begin selling Feb. 14, supports IPv6 , a major requirement for future computing.

With all of these Web 2.0-focused features, SPI believes WebInspect 7 will be a considerable upgrade over current Web scanning products offered by Watchfire and Cenzic.

Peterson said SPI officials will be demonstrating WebInspect 7 at the RSA Conference 2007 Feb. 5-9 in San Francisco.

The software will be one of dozens of security products various vendors plan to show off at the show, which will include keynote speeches from industry luminaries Microsoft Chairman Bill Gates, Symantec CEO John Thompson and Oracle CEO Larry Ellison.