eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
While WebInspect includes new features and improved wizards to boost the usability of the product, it still works in a fairly classic penetration-testing mode and retains more of a developer orientation than some of its rivals. And if you want developer-targeted features, thats a good thing, as WebInspect includes plenty of advanced customization capabilities through user-built scripts and custom SOAP (Simple Object Access Protocol) services.
Click here to read the full review of SPI Dynamics WebInspect 5.8.
2
While WebInspect includes new features and improved wizards to boost the usability of the product, it still works in a fairly classic penetration-testing mode and retains more of a developer orientation than some of its rivals. And if you want developer-targeted features, thats a good thing, as WebInspect includes plenty of advanced customization capabilities through user-built scripts and custom SOAP (Simple Object Access Protocol) services.
Like most products in its class, WebInspect works by crawling through a Web application and auditing the code it finds for potential security problems. In Version 5.8, the wizards for starting a scan have been designed to accommodate both novice users who want to quickly start a scan and more advanced users who want to do a lot of upfront customization to a scan.
In general, we appreciated that we could now start a scan without having to click through too many wizard screens and that we could test a Web service simply by loading the WSDL (Web Services Description Language) file. As is usual with this type of product, we also could record a manual crawl through the application instead of or in addition to an automated crawl.
One welcome new feature in the advanced scan settings is the ability to define specific parameters under which a scan should be stopped or paused. This will be useful for when an application being tested has crashed or isnt responding properly. For example, we could simply define a timeout response threshold under which the scan would stop.
The interface for viewing the results of a scan and the initial round of potential problems was generally good, although it wasnt as easy as we would have liked to parse through the results. However, we could quickly remove potential false positives simply by removing whole groups that we knew werent applicable.
The reporting options were very good overall, with a decent set of canned report templates and the expected collection of prebuilt reports, such as executive summary, QA and vulnerability details. Other nice options include aggregate reports and trending.
WebInspect also can identify a wide variety of compliance standards and outputs reports that illustrate how well an application meets them.
Next page: 3 Evaluation Shortlist: Related Products.
Page 3
Cenzics Hailstorm This eWEEK Labs Analysts Choice winner has exceptional automated testing capabilities (www.cenzic.com)
SPI Dynamics WebInspect Provides customization features that are well-suited for developers but still friendly enough for novices (www.spidynamics.com)
Watchfires AppScan The latest version greatly improves usability and fix recommendations (www.watchfire.com)
Labs Director Jim Rapoza can be reached at [email protected].
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.