Rooting Out Web App Holes
Despite all the attention that security holes in various operating systems get, the most likely avenue for successfully compromising a corporate system is a poorly developed Web-based application. Its essential, therefore, for developers to find potential problems before deploying a Web application to a live site.
Thats where Web application penetration-testing products come in. These tools let developers perform exhaustive application scans to find known security holes or even poorly designed code that could potentially lead to a security breach.
These products are not solely limited to developer testing and QA (quality assurance). Penetration tools are regularly updated with new attack signatures to make sure that live applications arent susceptible to new security holes, so they canand shouldbe used on an ongoing basis to test Web applications that have already been deployed.
Two products that have long been in the Web application penetration-testing space have recently been updated: SPI Dynamics WebInspect and Watchfires AppScan. With the latest releasesversions 5.8 and 6.0, respectivelyboth products focus on increasing ease of use and cutting down on the frequency of false positives that often plague this type of product.
eWEEK Labs tested these products against several Web applications, including an internal portal server, an active blogging site, a commerce-oriented application and several sample test applications. The languages these applications were written in cover the gamut, from .Net to J2EE (Java 2 Platform, Enterprise Edition) to PHP to Python to AJAX.
We saw fewer false positives with the new versions of these products than with their older siblings, but there were still plenty. Most were related to the fact that neither product can tell what other security measures have been taken in the environment in which the application will run, such as system hardening, that can remove potential threats.
AppScan is priced at $15,000 per year. WebInspects pricing is based on the number of servers being tested, with perpetual licenses starting at $6,000 and perpetual user licenses starting at $30,000.
Click here to read the full review of Appscan 6.0.
Click here to read the full review of WebInspect 5.8.
Labs Director Jim Rapoza can be reached at email@example.com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.