Rooting Out Web App Holes

By Jim Rapoza  |  Posted 2006-03-13 Print this article Print

Review: Web application penetration-testing tool veterans WebInspect and AppScan show they still have the right security stuff.

Despite all the attention that security holes in various operating systems get, the most likely avenue for successfully compromising a corporate system is a poorly developed Web-based application. Its essential, therefore, for developers to find potential problems before deploying a Web application to a live site.

Thats where Web application penetration-testing products come in. These tools let developers perform exhaustive application scans to find known security holes or even poorly designed code that could potentially lead to a security breach.

The effects of domain hijacking can linger. Click here to read more.
These products are not solely limited to developer testing and QA (quality assurance). Penetration tools are regularly updated with new attack signatures to make sure that live applications arent susceptible to new security holes, so they can—and should—be used on an ongoing basis to test Web applications that have already been deployed.

Two products that have long been in the Web application penetration-testing space have recently been updated: SPI Dynamics WebInspect and Watchfires AppScan. With the latest releases—versions 5.8 and 6.0, respectively—both products focus on increasing ease of use and cutting down on the frequency of false positives that often plague this type of product.

With WebInspect 5.8, which was released in January, SPI Dynamics has improved scan management and includes features specifically for testing AJAX (Asynchronous JavaScript and XML)-based applications. AppScan 6.0, released in December, is a fairly major overhaul of the product, with a completely redesigned interface and improved remediation tools and capabilities.

eWEEK Labs tested these products against several Web applications, including an internal portal server, an active blogging site, a commerce-oriented application and several sample test applications. The languages these applications were written in cover the gamut, from .Net to J2EE (Java 2 Platform, Enterprise Edition) to PHP to Python to AJAX.

We saw fewer false positives with the new versions of these products than with their older siblings, but there were still plenty. Most were related to the fact that neither product can tell what other security measures have been taken in the environment in which the application will run, such as system hardening, that can remove potential threats.

AppScan is priced at $15,000 per year. WebInspects pricing is based on the number of servers being tested, with perpetual licenses starting at $6,000 and perpetual user licenses starting at $30,000.

More information and trial version downloads are available at and

Click here to read the full review of Appscan 6.0.

Click here to read the full review of WebInspect 5.8. Labs Director Jim Rapoza can be reached at

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Jim Rapoza, Chief Technology Analyst, eWEEK.For nearly fifteen years, Jim Rapoza has evaluated products and technologies in almost every technology category for eWEEK. Mr Rapoza's current technology focus is on all categories of emerging information technology though he continues to focus on core technology areas that include: content management systems, portal applications, Web publishing tools and security. Mr. Rapoza has coordinated several evaluations at enterprise organizations, including USA Today and The Prudential, to measure the capability of products and services under real-world conditions and against real-world criteria. Jim Rapoza's award-winning weekly column, Tech Directions, delves into all areas of technologies and the challenges of managing and deploying technology today.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel