Caleb Sima, CTO, SPI Dynamics

Caleb Sima It’s just a few days before the RSA Conference 2007, and some vendors refuse
to let themselves get lost in the glut of news from companies that scramble
for everyone’s attention at the show.

Take SPI Dynamics, for example. The Web application security provider
earlier this week unveiled the fruits of a three-year endeavor, dubbed
Phoenix, in which the company whipped up a new architecture.

Forming the architectural backbone of the latest release of the company’s WebInspect 7 scanning software, Phoenix aims to turn the traditional, more passive Web application security model on its ear.

Traditional Web application scanners can’t effectively handle the
new-fangled applications written with AJAX , Flash
, or RSS  that have come to typify Web 2.0.

Moreover, the highly distributed nature of many organizations’ applications
makes it difficult for current Web app scanners to search for
vulnerabilities through multiple servers. It’s like looking for several
needles in several haystacks.

SPI Dynamics officials say WebInspect 7 aims to end the suffering because
Phoenix was designed to work with newer applications to thwart more
sophisticated Web attacks. recently caught up with Caleb Sima, co-founder and
CTO of SPI Dynamics. Sima and his development team are responsible for the
conception of Project Phoenix and its incorporation as the intelligent
bedrock for WebInspect 7.

Q: Why did SPI Dynamics decide to create the Phoenix architecture, which
you bill as the first Web application-scanning architecture for Web 2.0

We realized the architecture of the Web scanner today is built for the Web
of 2000. It is obvious to everybody the Web has changed, especially in the
last three years. The Web has just skyrocketed to an entirely different way
of using it. Because of that, the vulnerabilities have gotten to be a little
bit different. They have become much more difficult to find.

In order to
identify these vulnerabilities in Web applications, the way the Web scanner
works today had to be drastically changed. The way that we were doing it was
absolutely insignificant and just wasn’t going to work.

That’s why we started Phoenix. We needed to do the next generation of Web
scanning. We needed to make a product that acts like a human hacker, that
thinks like a human hacker and was flexible enough for us to add these
things in a quick amount of time.

Q: With Phoenix, what are some examples of challenges that WebInspect 7
can address that previous versions of WebInspect couldn’t?

There are a bunch of them. One is time. Because Web applications have gotten
so complex and big, scanning a Web application in the old days, in which you
would crawl even a small Web site, would take an hour or so to complete. And
then you would start auditing to find vulnerabilities.

That’s the way
scanners work today. Now, in order to scan even a small Web site today, with
AJAX and all of the other technologies going on, it takes a lot longer. It’s
much more dynamic. You’re missing things. By the time you finish it, two or
three hours into a crawl, you start the auditing. In the meantime, the
auditor, or the person using the product, sits on his butt and basically
does nothing. What happens is there’s three hours of wasted time, and you have to wait for time for auditing to come up.

But with WebInspect 7, we’ve created a
new simultaneous crawl and audit methodology. As soon as you start crawling
pages, it immediately starts auditing for the types of vulnerabilities
you’re looking for. So, you can get pretty much instantaneous results as
soon as you crawl one page.

That is extremely beneficial to an auditor
because as soon as a vulnerability pops up, they can start working on it.
They can determine whether there are false positives. They can determine
whether it’s something they need to put in a report in a different way. They
can confirm by exploitation, they can go further with the vulnerability.
That allows them to work with the product as its working, saving them a
considerable amount of time.

That doesn’t necessarily sound sexy but it is
amazing how much difference it makes from my perspective as a tester.

Q: Do the Web 2.0 technologies also mean you’re seeing new security

The types of vulnerabilities we find are also going to be different.
Previously with WebInspect, there were Web applications that we could not
crawl. For instance, things with CAPTCHA (Completely
Automated Public Turing test to tell Computers and Humans Apart), things
with multi-factor authentication. In order to do scanning for those, you’d
have to hit something, look at your token and enter in a number and then be
able to somehow get the automated product to do that. It was impossible.

With WebInspect 7, as soon as we see a CAPTCHA prompt, we will pause the
scan, alert the user, he can get out of the CAPTCHA, click OK, and boom, the
product continues. Now what will happen, it’s a very simple and easy method
to do these kinds of things.

The biggest problem of course is JavaScript AJAX. In WebInspect 6, we
basically built a JavaScript engine and were able to plug it in in a
rudimentary form. But this JavaScript engine was really built for Phoenix,
so we are now able to implement it in WebInspect 7 to deal with JavaScript
and AJAX technologies.

WebInspect 7 will go through a Web application like a
user and understand what is going on to its full potential. That’s really
important. Because honestly, if you don’t do that, you’re not going to get
to the Web app and you’re going to miss a bunch of vulnerabilities. A lot of
great features and enhancements get thrown into being able to crawl and
understand a Web application better.

Q: Who do you run into on the competitive landscape as you troll for
customers? Why is WebInspect 7 a more attractive alternative?

Our main competitor is WatchFire, and we have a smaller competitor called
Cenzic. Watchfire copies a lot. From our perspective, we were first with a
Windows product, the first with the technology that we have and the first
with our methodology of auditing Web applications.

Unfortunately, everyone
has copied our technology, basing it on a crawl and audit. We just knew
three years ago that that wasn’t going to hold up. We fundamentally changed
the way the engines worked and the way things got audited. They’re running
off of what I consider old 2000-based architecture. They’re trying to keep
up with the Web 2.0 by adding features and enhancements to an old,
fundamentally flawed architecture. It’s just not going to work. At some
point, they’re going to have to turn around.

Q: What do you expect will be one of the hot topics at RSA this year?

I think browser security will be big. Your biggest interface to the Web is
the browser. People are just starting to catch on to its cross-site scripting
vulnerabilities, which has reached a level of absolutely huge potential.
AJAX has added some real big security concerns.

News Around the Web