Web applications are emerging as a significant security hole, as more hackers learn simple techniques that enable them to break into enterprise networks via public Web sites.
Techniques such as SQL injection and cross-site scripting are now well-known methods of gaining unauthorized access to servers that may lead to valuable corporate data, or to embarrassing Web site defacements.
Combating the problem means finding and repairing the vulnerabilities in Web application code that permit such hacks to be successful. Two vendors, Sanctum and SPI Dynamics, have released new versions of their products that help customers do just that.
Sanctum this week delivered AppScan 3.0, its Web application vulnerability scanning tool. Among the enhancements in the new version are new graphical navigation and set-up features that include a session map and help tips intended to make it easy for new users to employ the product, says Dianne Fraiman, vice president of marketing at Sanctum, based in Santa Clara, Calif.
AppScan 3.0 also now runs on Windows 2000, whereas previous versions ran only on Linux. That makes it easier for developers to work with the tool at any stage of the application lifecycle.
New features at various stages of the scanning process include a collaborative scan utility that allows uses to distribute workloads, based on factors such as skills, time and resources required. Scanning performance has been improved 400% over version 2.5, Fraiman says, through improvements to AppScan algorithms.
The reporting facility has also been improved, with the ability to filter on the various vulnerabilities AppScan finds and customize reports to your needs. Users can also now view the specific HTML pages involved in an attack before and after the attack was launched, to compare the differences.
SPI, meanwhile, announced WebInspect 2.0, which is essentially the first publicly available version of is application vulnerability scanner, says Caleb Sima, the founder and chief technology officer of the Atlanta-based company.
Sima touts WebInspect as an "intelligent scanner" that "thinks like a hacker." If the tool finds that a vulnerability discloses source code, it will exploit that vulnerability and continually follow links through the site, all the while creating a log of the vulnerabilities it finds and where they lead. Exploiting the vulnerabilities it finds is the only way to determine which ones are truly sensitive in nature, Sima says.
For example, the product may find and try to exploit a robot.txt file, which are commonly used to tell Web crawlers not to crawl certain pages and are also often exploited by hackers. "But if it doesn't contain a link to something of a sensitive nature, it's not a vulnerability," Sima says.
WebInspect also takes contextual data from the site and tries to use it in an exploit. In trying a brute force attack on a username/password field, for example, it may try combinations that incorporate the name of the site in some fashion, as hackers routinely do.
Another differentiator, he says, is that users can check for new signatures and update the product on the fly, even while a scan is underway. Its interface also makes the product easy for novices to use but enables highly skilled users to drill down for more function.
SPI has been in business for about two years, Sima says, and WebInspect first debuted about 18 months ago, mainly as a beta version. Version 2.0 is its first enterprise-ready offering.
WebInspect is priced at $4,995 per server. Sanctum's AppScan starts at $15,000.
Sanctum, SPI Offer Upgraded Web Security Assessment Tools
