While WebInspect includes new features and improved wizards to boost the usability of the product, it still works in a fairly classic penetration-testing mode and retains more of a developer orientation than some of its rivals. And if you want developer-targeted features, thats a good thing, as WebInspect includes plenty of advanced customization capabilities through user-built scripts and custom SOAP (Simple Object Access Protocol) services. Like most products in its class, WebInspect works by crawling through a Web application and auditing the code it finds for potential security problems. In Version 5.8, the wizards for starting a scan have been designed to accommodate both novice users who want to quickly start a scan and more advanced users who want to do a lot of upfront customization to a scan.In general, we appreciated that we could now start a scan without having to click through too many wizard screens and that we could test a Web service simply by loading the WSDL (Web Services Description Language) file. As is usual with this type of product, we also could record a manual crawl through the application instead of or in addition to an automated crawl. One welcome new feature in the advanced scan settings is the ability to define specific parameters under which a scan should be stopped or paused. This will be useful for when an application being tested has crashed or isnt responding properly. For example, we could simply define a timeout response threshold under which the scan would stop. The interface for viewing the results of a scan and the initial round of potential problems was generally good, although it wasnt as easy as we would have liked to parse through the results. However, we could quickly remove potential false positives simply by removing whole groups that we knew werent applicable. The reporting options were very good overall, with a decent set of canned report templates and the expected collection of prebuilt reports, such as executive summary, QA and vulnerability details. Other nice options include aggregate reports and trending. WebInspect also can identify a wide variety of compliance standards and outputs reports that illustrate how well an application meets them. Next page: 3 Evaluation Shortlist: Related Products.
Click here to read a review of AppScan 6.0, Watchfires Web application testing tool.