Mention Web application security to an IT administrator at most companies
and you may elicit a grimace. The growing tangle of dynamic Web 2.0
applications make it almost impossible for traditional bug scanners to catch
most Web vulnerabilities.
Recognizing this architectural challenge, SPI Dynamics created
Phoenix, a new Web application security architecture to analyze Web 2.0
applications and find previously undetectable Web flaws.
Erik Peterson, vice president of product management for SPI, said modern Web
applications built from technologies such as AJAX, RSS and Flash combine
client and server side processing and are therefore more complex.
SPI argues that current application scanners, including its current
WebInspect portfolio, are built on dated architectures developed in 2000.
Not surprisingly, they haven’t kept up with the evolution of Web
applications, so they don’t find newer security vulnerabilities.
This leads to high false negative rates, meaning the flaws aren’t being
detected by the software and the IT auditor has no idea something is wrong
until it’s too late.
“AJAX exploded and changed how Web applications are built and deployed,”
Peterson said, explaining the need for Phoenix. Hackers evolve from
hobbyists to professionals. It’s a billion-dollar industry for these folks
to be taking advantage of opportunities out there.
“The complete re-architecture of our product was necessary to keep at the
forefront of where the Web was going. We feel like it’s going to pay off
for us in spades.”
Phoenix will serve as the foundation of SPI’s security software going
forward, but the architecture has been employed first in WebInspect 7, the
company’s Web scanner.
WebInspect 7 assesses a Web service by discovering all XML input parameters
and performing parameter manipulation on each XML field looking for
vulnerabilities within the service.
The software exposes hidden application logic, revealing security flaws that
could not be found through automated security testing.
Peterson said WebInspect 7 is distinct from other Web scanners because it
includes simultaneous crawl and audit (SCA) and concurrent application
These tools make the scanner faster and more accurate and performing these
tasks at the same time may cut flaw scan times in half or more. WebInspect 7
can also perform multiple concurrent scans to cover more ground on the Web
and in the computer network.
Moreover, the software boasts new automated checkpoints to eliminate
authentication issues for applications using two-factor authentication or
CAPTCHA (completely automated public Turing test to tell computers and
humans apart). WebInspect 7 can authenticate with secure Web applications
and determine when re-authentication is required.
WebInspect 7, which SPI will begin selling Feb. 14, supports IPv6
With all of these Web 2.0-focused features, SPI believes WebInspect 7 will
be a considerable upgrade over current Web scanning products offered by
Watchfire and Cenzic.
Peterson said SPI officials will be demonstrating WebInspect 7 at the RSA Conference 2007
Feb. 5-9 in San Francisco.
The software will be one of dozens of security products various vendors plan
to show off at the show, which will include keynote speeches from industry
luminaries Microsoft Chairman Bill Gates, Symantec CEO John Thompson and
Oracle CEO Larry Ellison.