Rooting Out Web App Holes

Review: Web application penetration-testing tool veterans WebInspect and AppScan show they still have the right security stuff.

Despite all the attention that security holes in various operating systems get, the most likely avenue for successfully compromising a corporate system is a poorly developed Web-based application. Its essential, therefore, for developers to find potential problems before deploying a Web application to a live site.

Thats where Web application penetration-testing products come in. These tools let developers perform exhaustive application scans to find known security holes or even poorly designed code that could potentially lead to a security breach.

/zimages/3/28571.gifThe effects of domain hijacking can linger. Click here to read more.

These products are not solely limited to developer testing and QA (quality assurance). Penetration tools are regularly updated with new attack signatures to make sure that live applications arent susceptible to new security holes, so they can—and should—be used on an ongoing basis to test Web applications that have already been deployed.

Two products that have long been in the Web application penetration-testing space have recently been updated: SPI Dynamics WebInspect and Watchfires AppScan. With the latest releases—versions 5.8 and 6.0, respectively—both products focus on increasing ease of use and cutting down on the frequency of false positives that often plague this type of product.

With WebInspect 5.8, which was released in January, SPI Dynamics has improved scan management and includes features specifically for testing AJAX (Asynchronous JavaScript and XML)-based applications. AppScan 6.0, released in December, is a fairly major overhaul of the product, with a completely redesigned interface and improved remediation tools and capabilities.

eWEEK Labs tested these products against several Web applications, including an internal portal server, an active blogging site, a commerce-oriented application and several sample test applications. The languages these applications were written in cover the gamut, from .Net to J2EE (Java 2 Platform, Enterprise Edition) to PHP to Python to AJAX.

We saw fewer false positives with the new versions of these products than with their older siblings, but there were still plenty. Most were related to the fact that neither product can tell what other security measures have been taken in the environment in which the application will run, such as system hardening, that can remove potential threats.

AppScan is priced at $15,000 per year. WebInspects pricing is based on the number of servers being tested, with perpetual licenses starting at $6,000 and perpetual user licenses starting at $30,000.

More information and trial version downloads are available at and

/zimages/3/28571.gifClick here to read the full review of Appscan 6.0.

/zimages/3/28571.gifClick here to read the full review of WebInspect 5.8.

Labs Director Jim Rapoza can be reached at

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.