By Jim Rapoza  |  Posted 2006-03-13 Print this article Print

While WebInspect includes new features and improved wizards to boost the usability of the product, it still works in a fairly classic penetration-testing mode and retains more of a developer orientation than some of its rivals. And if you want developer-targeted features, thats a good thing, as WebInspect includes plenty of advanced customization capabilities through user-built scripts and custom SOAP (Simple Object Access Protocol) services.

Like most products in its class, WebInspect works by crawling through a Web application and auditing the code it finds for potential security problems. In Version 5.8, the wizards for starting a scan have been designed to accommodate both novice users who want to quickly start a scan and more advanced users who want to do a lot of upfront customization to a scan.

Click here to read a review of AppScan 6.0, Watchfires Web application testing tool.
In general, we appreciated that we could now start a scan without having to click through too many wizard screens and that we could test a Web service simply by loading the WSDL (Web Services Description Language) file. As is usual with this type of product, we also could record a manual crawl through the application instead of or in addition to an automated crawl.

One welcome new feature in the advanced scan settings is the ability to define specific parameters under which a scan should be stopped or paused. This will be useful for when an application being tested has crashed or isnt responding properly. For example, we could simply define a timeout response threshold under which the scan would stop.

The interface for viewing the results of a scan and the initial round of potential problems was generally good, although it wasnt as easy as we would have liked to parse through the results. However, we could quickly remove potential false positives simply by removing whole groups that we knew werent applicable.

The reporting options were very good overall, with a decent set of canned report templates and the expected collection of prebuilt reports, such as executive summary, QA and vulnerability details. Other nice options include aggregate reports and trending.

WebInspect also can identify a wide variety of compliance standards and outputs reports that illustrate how well an application meets them.

Next page: 3 Evaluation Shortlist: Related Products.

Jim Rapoza, Chief Technology Analyst, eWEEK.For nearly fifteen years, Jim Rapoza has evaluated products and technologies in almost every technology category for eWEEK. Mr RapozaÔÇÖs current technology focus is on all categories of emerging information technology though he continues to focus on core technology areas that include: content management systems, portal applications, Web publishing tools and security. Mr. Rapoza has coordinated several evaluations at enterprise organizations, including USA Today and The Prudential, to measure the capability of products and services under real-world conditions and against real-world criteria. Jim Rapoza's award-winning weekly column, Tech Directions, delves into all areas of technologies and the challenges of managing and deploying technology today.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel