|
|
|
Sanctum Puts Web Apps to Tougher Tests
By: Jim Rapoza
2003-10-27
Article Rating: / 0
There are 0 user comments on this Web Services, Web 2.0 & SOA story.
AppScan upgrade ably tests code and tracks changes, but it runs only on Windows.While Sanctum Inc.s AppScan has been an excellent aid for Web application developers looking for security holes in their projects, much of its focus has been on helping developers as they build applications. With AppScan 4.0 QA Edition, Sanctum adds key tools to help testers and those whose job it is to track changes and secure ongoing Web application projects.
eWEEK Labs tests showed AppScan 4.0 QA Edition, which shipped last month, to be a worthwhile investment for any company that builds and—especially—modifies complex Web applications.
We were also impressed with the speed with which AppScan 4.0 was able to scan fairly large Web applications. In one case, while running on a modest Pentium 3 system with Windows XP, it scanned a large portal application in less than 10 minutes.
AppScan 4.0 QA Edition is priced competitively for a product of this type, at $15,000 for a yearly subscription, which covers the applications that need to be scanned. The product runs on Windows 2000 and Windows XP.
As it has done since it first came out, AppScan works by crawling through entire Web applications and attempting a number of common security attack exploits. Version 4.0 gains the ability to scan for problems in XML-based Web services.
|
EXECUTIVE SUMMARY |
|
AppScan 4.0
|
|
QA EditionSanctums updated AppScan is a good tool for discovering and avoiding
common and possibly disastrous security flaws in applications. AppScan quickly
and effectively scans large applications and generates reports that are understandable
as well as track changes over time. AppScan 4.0 is priced at $15,000, and more
information is available at www.sanctuminc.com
|
| KEY PERFORMANCE INDICATORS |
| USABILITY |
GOOD |
| CAPABILITY |
GOOD |
| PERFORMANCE |
EXCELLENT |
| INTEROPERABILITY |
GOOD |
| MANAGEABILITY |
GOOD |
| SCALABILITY |
GOOD |
| SECURITY |
EXCELLENT |
|
PRO: Can compare and test changes in applications; interactive and comprehensive report options; excellent scanning speed.
CON: Testers cant write custom test scripts; runs only on Windows systems.
|
|
EVALUATION
SHORT LIST
• Kavado Inc.s ScanDo3
• SPI Dynamics Inc.s WebInspect
|
Once AppScan completes a scan of a Web application, it generates a report thats easy to read and share; the report details problems found and offers suggested fixes and workarounds.
One of the most important new features in AppScan 4.0 QA Edition is the ability to generate a delta analysis report by comparing two scan sessions. Using this feature, we could clearly see the effects that changes in an application had on its security, with all deltas and new problems shown in the report.
Another new feature is the inclusion of high-level results analysis sections in the reports generated by AppScan. We found this to be especially useful when running an initial scan on a large application, as this can often generate large and potentially confusing reports.
With the results analysis, we were able to get a high-level understanding of the depth of security problems in test applications. We also liked the new interactive results window, which let us dig through our application and view all the related links and information based on the AppScan tests.
When creating a test for a Web application, AppScan 4.0 provides several options. We could choose to do a simple vulnerability scan, use AppScans default and fairly exhaustive automatic scan or perform various recorded or interactive crawls through a site to test specific functionalities. Although these options will probably be enough for most Web developers, we would like additional choices such as the ability to write tests completely in script.
Other new features in AppScan 4.0 QA Edition are a command-line interface and an API, both of which make it possible to integrate AppScan with larger quality assurance and testing infrastructures. Labs Director Jim Rapoza can be reached at jim_rapoza@ ziffdavis.com.
|
|
�������x}r㶲s\@♵M]H)ْZc[^^:U*$�ER$'?_v8x��-2qIlK���}C�?H�9u4ô'1�%3�TI]"I͝�h#(3`ȩ��9AFN�Zj:@a5˜؍Nz&��p��Dw�d�>J�`OS;SM�)5'ӠQh~0g�{zcW6gڄ2z9m2�f��E63F��I��-�6r�!&�֥qɏ{O|2��ַ8>v@ߨ�V�9AÙML}!*{�OJJ%h�!�1Qus͟�|adw^x/4��0vK]K{'#o�AU�VekV:6^�;�4r9Fȹ�3�z$fPr&NWw#2�5IR�Z@[
�4
11܉�Hч�@X�ST�P֢f̴;gj�5[g�c}ױ}ǣ��!&�$ftj�v?ƭ�Q�I&��7�q�#/<{e�&-ԆN�VP?� u�ϐjQ2ZF-oZz��
E�ɥv'Y̮g� f�VҘ�'�UUH,-?Z:e!esX6&�Z�
@��$B�vB�oMEq{]q;WݣN�I3�a
�V�~��'^=v��?,rK=����j�iT뒚�vhC�u{Dr,_�d=h�N !�O}�fr5 @�
L��^a� �p|g�i�͇v9s�a �{>�0���sF}+D�%��i��-DCw
0Ie&3@yK�LΝ݀25fC?�F{t$4�,/�#0/ Z-{����Be^~�m�̢�8�ѵO�>7g`sDokii#���1).aH�d˕�F���] cRRT$C{ ���hI#r�����
B!,`@n!`� [AX�� a�R
.�u@�Gҩ3qj|_.�kr)eb -x[b�~I�Lg2+Iɴ��X�9�yDM�f#�T`B[ᛥLKa�k`Dݘ,B^�&tcS7a #@�.kùi��K0Pl;�ik`�1Ԑ(ʲMg9@��Ϲh��
�I߱n)y@�6Êi֜�Ǻ����dujM3ӆ�ԧ$r�W"Ch�j�5Xjoa�Z&5�\#oeK��4�fXi*pn�=&.�0|jj+iS w$m˴oVP�}77�BgsݐC/�2$\^&VAB1
6d:�l';oW fnR>�RJ=""�ǰP3n�>p(^HIbЙj!@�)z٧l�.�?ΖuV"kͲG{_�No6�y4�m�{g�@�y#� dlK/,:�+c:K�_ji��HH*6�@\\1-#��%>D!1~h�/a2('m;D=tl=5Ǡ}nP
�*+jS#��0��J�+fڹaK �l�@�r;4
po�`�27bbˡ\2aN#�}9�:#}=r=�ێ�dr��N��)]hpܩHhS+ma�QQPkjb�3}�Ä끈�_ƕ/�c�a�{�J{p�:P]%W0sM^\��NV°'9�g!�A��v?|D'@�plZ`0R7uig#2b�Z�L5�+e1�`sMD@�g�2,rƎe9w٘A�N���\�Zj<��8�9�a�Qo5�>
U�T�#!űLbEah88l^t�� ,4�ra,�?@��R5V23gd�uGǙXT*j�PnT�Dq"
֚΄��O5O�_c��>Ҁ!a�s:�A>Db�����$6��\T`�t>*j*�WX07pn) �RUԒ.ZE^~~�V�%$]�4X6H }=t��~h3<2�y����әV�j�qt�*Z�j:
_�
>玾�2�X�0{h'0^˒G;|P�a_�͑<]H�@�K1SdcS�yt$�dݙ0n !�TՖGasc�'��b�h��6B\4�<�}g�S�(z`0d�nZiS���s;e=Q\_)ɨ��4`V�܆8{>./L�H)Xu���}
��*z�ּn`6f/ElcD�H!S
�2�:е�%Ԓ6��~vq㉱}|XD&lڊ6�*8e$�ߌc����Rm�-e+
BcIYg^�|1}M�>�Yȓcpse%s
@B>�ZZ5-P�yZ{qd���F&}G�Ӈ�
[0<�Fd&�T~�!\xY�RvVlΠ7/nϘmg�V/@ͮ
2�\+ r�7u�au�-#x��]SOo�R��
�
{259p\Semim�7oUUB�5eAb��dE6 7cyJ�~�Zg'7>htt@(+w�'X`{ǽt:~s,�(=~.l?<~w�>a�A�N :>�KKxl�4�{k��N>}}>oKݳ�?�N�eB�dAw $(��X�Mp��k#NՓ�nw?J�6ix�F)0\^�|=9`;�pZ�KG%?nv@N�)�ޠw!z2W#䀠]jv?D�d�0�sti]6b�L`jX&IE2D#S�!麫`&z����9,_�}hNӅ[e�Цw�yv$sm�g�w>%�zv`�5gk3@
\c���[ıwpW߆�ة�?O.yr�o5r8_IMdO1\XTCxxg!,d9��a}�3G؞qnbL��drOB%�7÷Fp7�*gcc3/�F#%k&ȱ�m�@|Րp/�h1i�`jcZ�$8\}5�߈:6"Y1!IfM1XP|=�ߌ93{C�4�/�TWeT�c�S�K/.9�4y˭0L LP��܇'Vx�e86[b4v[05| ttfڰJ[~NK5Y�VQx�*J]�C��;·G"`*93'a�,R��Qw*`�E�sGG�'s 'AIY9hBYɇ7:���8g, �خ\PWg,ߣ��cOh��O3+a|u-I���qv�LJ&<5T���w3�'"y`�'��W�"^Ϳ�q ���)2Gk^('��h50�&(���$O&Ku�yBGdd#x�O,!("aʛ�b7
R�λl*v�v����Z
D[:ue"/�pf>�Q,?P� Y�'��̘r]�S�9Q}&a�`^8üzq�%�]]�?�51[|I�gؠjH�g[��{8NymXi첎@/L�x;�G�,3̴Np\�[E��>J&*q�MMli̓p&�%KR$埇]q�$q��/(q�=�VnA`%Ξ`vMO�8*GO7VjjV;(JI)�볜Q'7y3�I+u(<^eSjt��g"c�O)
v}x�\j[`A1u��f�f��3�>`Xe͢^04=s��+S�.Lo��U%"�P �Jތ)l.DBD%,j8o[ Z d��H}�y&vUlbnҟ6��4Q%%
؛J��y'��?�cP1AY'L.X
bcƚgJ% -�*; ¸�t>I,�1Z�*��6�&xgK�J8\R"!\,%�=���L�ĈȆw>Œ�%%\̄Hy*"O|qUֻw� )�I-O,̠KҞ6㢽)Z`Q
Uh93*K�XR�Ri2O
!��h�#$!�{�txMknIV*�MɪRdu�uui0ҙ�qҤ瘆tKdp$u
R"Kvr:F�4r����8�E=��!��xsSZߔJ-�֧}Ӻ�0.�iaRX�KN]��|I-cJ�Zo!d��!���h"@iIl|z:zO~ Z۔R/EKneɤ(aU*1$-.GR\(V�#�G�����; �M�LgUפK�ĆV;g�4?�u"Ѷ�"�R뷹�H��d��"�0X�D2�&(�P�ba77�nJPW�Ph{
zZ#g��]@q+@"T*J~�0�=$�I�ȷ)ǒxͭ_yI�H8VA̜k\KxA)OOOOO\/�"š\u;6%L/)�d�M|拸p,ӟJzT/ht<'eC:l'�[ Q�l^y��Z)|]�8�hj�
)�c6慌�!`N[5�s`>Qc�0vG5%^@�>�^hiK/�Ps}نsbNJ�F(&,qDGX�%_Eit9g27x�Rn �ΖKx�3
�O,绀˼|{'���#AlH/
@^*zɁ�H%�X\L|�|��k�I;^ 9ciҡ��x)��C��``@AB�oGdgoV7$�s9v�R:Vq�Ù/�S3*u����'�M� ��7t�5JoZ��OBɯnHu��F��?X*շb3�'j�VA2�[A1> ��{=��^!!p7�esj�L~x)�١t�djSO�h���h7����6<���DB@���gE���)5�!dK,4|k�ׅ%"5f0�sl2MΕ݈`n�flq{a=�%�$&á8T¡둘f�k ,�x�y� CDW>$>J�L�(K�E3O)r2H�Msj\v1t.z}!6Z�عe�,0�}P�B�
A(A!�JO{3\dDxfmjmʘxe{'�2oѷ6RƎ'H3q6Gm)�o >7�nsZ_9��J0�J0[�J�B57,�A:96:�.YAr͝�|!D'\^o�Fu5X�-7�c�m$P#?�w=rAWƵ^3XY֟r[B�*rB/+GGonz��S`)7�*DI[M�찆߽�=!٩LfDRsCa�
�
`|F0����V��VEQڲF.L RXv!m�Yޣ3.%{Uʲ���j6o}܃�[�y{�©Yj|ubM�$4F87?җg)⌱fne�OG�%se�fgI4�P�7�D�Гw5��z�towwv�{�Spms;��.5?} r
/үF# �V-NM�Ə/*`ѵ,k��pO��}L[\�bd=
Dw߁\<>E�f!i|Z�im˻�ޱiT1U�8;7�~�9�=ePS�,
x߸֊�[NiΞCc`@/� Zi?
I3�7|^c�O̟/!.'"}�?q�T�&ݦ�eƎX2l
;MQ�\?`#䷿T}dɷ1Vicg2Uȏ�S
QD7ڐ�̙xf��wޤR͏L:�_;���E��o!
<��5�nԅ=;t=~w ��Bɮ�O8���E�k)G>?G��KU6^�ۏo�S�
D�W\l�#!�B(,2��Fm�8hX8Ee~�r,zb�D�T�m�8ѭ^Dr�vWrBYm�2yzbb�f�iA i!Fv;�Kb+.J7;F$qhhk+j��k�v+��#,�F�[".Tj���D NE��7�"�wya�`<ĒAur_FPxQҼ��wZKC�Am.95͢E�(�tM��s950PUj~z?f�.HQ,:-~e=^^@FwS3
n �FT�J�9t{`�ɣ.�j"-b��JD:�N�x#-F5נ�:�9
��3#�mz^C�GJk&p��Vy
�k�+mLxc[8OH_q�=o7ݛ�A47:U�sÑ7��x
fE�8a���cym�q9U|F��"x��4�lSKaZG$~�TRU�1�s�Ic"�̦Ab�b_�ڡ<�ƌL]�#R-J*��YQ�+6�eutq��y:��Փ�\��O�u$ζ�y)�BXF<끴��BX*AE�L>�X~l �۳��O}�K[\Q`m2c�@1y�@g��+c-chkƱzKfB�7S�8X<�k_i�=� n5HlcvxxyَM톫57�n�Ot)6AP��ׯ0O�yX^O\�sʒ2?+L66�mYU 6g%=څ]`a~A��)h�@N4[MLXGm��A�"T75T>#�F_X�z#|�#$��&�Q{ZaK(`�Š�_i&f&3ZM5B\Xx�J�c=MOD
F�+P��S�C7��,6M$Ae�ȃ5T?�0мg
)V�5eAb+�Z�Akb��^<ҡ�M+qܑ4b,��T:�N R'�&
)a:$�.+JAW�d���k:ʳ/!S]Nz c>r*�~�ᜭ#+^�bʑf,�ѹtyWJ�3"�'0�枩`T1,�2)�k�M(q�i+8<4>|?_qN0%�
ၰ
�5"����fcϙ�F$E�{��0�0mݚ3by"k@�J,/u&~r\�Xj��
�!�1�gGi>'_1����Hm�(�e1vqY�@��y#��DL�͂zĂG�x|?Rjs#
9�[xyF���Lma`t��.t�fAиOnF?�|43�"kR.ɖàFUQtV#ߛ�i�3,ȏ]RKl��(�8�&c�Z9I�t!C�K/H�zNszqmdxnz~XSSeUQ`�!���b�JM*IhR�|:T\g�ޕa)豪��7)^
;�e,�=Mȕ@��Z��Tȑ1;}�^ni`�50 }a3B�}3�1l]\~!ǽK"Ǘ�>�]v/�998�oWj[urԻr=\\v�汉)�0y?kyl21^�
ΓQ�9>ou283ޢKs!Yx�9�K��x5�4
/�E�yx&�~x��#�U6üj��1o��(6V}�؊km8�Gj:ٙE/K�#C|E@?h
17mFQg p��!>EwN;G�;䚡IJ/N�O3?A_K(\_~�JmeQ>X_��;�GP~�s��?/?'vmgC�CL<�~Q�ʿ/?��A52�13��{3Y�~`g�?�<ˠ3ϳ�D�=��_e@IF?��gP~Q�{1?�s�w1=/=?��ː/�@���q�_d sA?}�?c}�?c�A�
�Z_�s�}]AUV9*c|W�]CuV9u�^C�_�]g_RIR�V�.pv%sQ^5�3\�y~�)�P�u(ϐg��3�V^�V`�{J1g+~�W�_} KN+ťW�*7YKKL3cn5:�v�ņ^_�s\�ȜHǣqaN@�B�0y4FUy�D��4k�{HO8ѭ�cc6H_,T϶{3[9!t�~Wuu;L_-'/T��3��l~;�Ф3!d .�`GN"C�a��yF˟4�`&�^_ϘSӞ߳xgG
�6{Ng1��^=.πxŶr.i�G㿄$l�M�0�}@�#ǹ~rhr�]��g�X+.Ġ/�>''4WB)*3U\&
i᪑C~ h$�-<%u@
k!%K`S�^0�PSF^D�mEҫT@��wl��^&(z��̸6�ΐ�R1t9�=��5p�tѷkd9HR�=�I�*4UMf�ِ�?�MznzB%6(ن��[v ӧRǞ,���`+/]�;��Q�7?
>,"���7eΌzLT zZ�=�v,8%^ IoFmc_V�`�ń�K�z>HYUҎ_ɛ?Bo�� /X�)Ns�'|omW\?��T@|
%G\6$DRw��}L�0~Nm�jV0s�? `�vwlښ�˖;3��
m+#8�4C���i3S}��@ }(
oF8�`y%K@����
�qSGg��p#��ƫ14�cVB\
(c�tA Q1?cm'nFQi#g¶54-���eѩ�&�oߩ�n^�Qa[_<�tc
bc,ۙB
ya1 g'{y�{~k�C'>f�ksx>Y�}�#s!?²L�jlf^^kti�(�aa�ɗvX�Vnw?&+==;T7 r9F˳��`b�hPlP�B5�Nb�j~�ۊX�#iQf�rYOJV>��ߺ"f/F ۰M�*i2�9J{) q�˕"m�xTɉ|Y;z[96Nw6ȄM
b7�;a�1Բ��^*��
|
Web Services, Web 2.0 & SOA 
