Citadel, SPI Dynamics team on security

Two companies in the vulnerability detection business are teaming up to help organizations fight the scourge of Web application security holes.

Citadel Security Software said on Monday that its Hercules automated vulnerability remediation product will be integrated with SPI Dynamics' WebInspect Web application vulnerability assessment software.

The partnership enables Hercules to import and parse Web application vulnerability information output by WebInspect.

Once imported, the vulnerability information can be automatically linked to remediation signatures. Patches or other steps to remediate vulnerabilities can then be deployed from Hercules.

The combination of the two products clears up blind spots in each, according to Jack Doxey, vice president of marketing at Dallas-based Citadel.

Hercules interoperates with leading scanners by Internet Security Systems (ISS), eEye Digital Security, Qualys and others, but did not have a way to address security holes in the Web application layer.

At the same time, SPI's WebInspect excelled at spotting vulnerabilities at the application layer, but could not go the next step and deploy fixes for the vulnerabilities it found, Doxey said.

In addition to applying patches to vulnerable Web application servers and workstations, Hercules is capable of remediating problems through automated configuration changes, he said.

For example, many Web applications are deployed using default configurations that include extraneous files that could be used by attackers against the Web application server, according to Citadel CTO Carl Banzhof.

WebInspect would spot the unnecessary components and record them as a vulnerability. When imported to Hercules, that vulnerability information would then be linked to a remediation signature that automatically removed the files from the server in question.

Before deploying fixes, administrators working on Hercules can review the remediation signature for each vulnerability, drilling down to see the sequence of actions that will be taken to patch the security hole. In addition, administrators must approve each fix before it is deployed, Banzhof said.

The announcement from Citadel and SPI is just the latest from companies offering tools to tighten up the security of outward-facing and vulnerable Web applications.

Last week, application firewall company Sanctum Inc. unveiled a new version of its AppScan DE product for Java-based integrated development environments (IDEs).

That technology enables developers to test individual components of Web applications to spot security vulnerabilities, comparing over compiled code against common types of Web application vulnerabilities.

At the same time, standards group the Organization for the Advancement of Structured Information Standards (OASIS) said in May that it is working on an XML (Extensible Markup Language) -based standard for describing application security vulnerabilities called Application Vulnerability Description Language (AVDL).

Both companies are members of the OASIS technical committee looking into AVDL and said Monday that they would contribute knowledge gained from the integration of their products to the AVDL committee.

Support for WebInspect will be available as a free upgrade for Hercules customers beginning in August, Doxey said.

For new customers, Hercules costs $995 per server managed and $125 per workstation managed, Doxey said.

The two companies have not yet decided on a plan to bundle the two products or to conduct joint marketing, he said.

In addition, Citadel was unable to provide a customer who was using the two products together.

The increasing number of software vulnerabilities and the quickening rate of discovery is driving development of comprehensive vulnerability remediation tools, according to Pete Lindstrom, an analyst with The Spire Group.

While vulnerability remediation technology is still in its infancy, the increasing complexity of network environments puts a premium on technology that can pull vulnerability discovery and remediation into a simplified, centralized and streamlined process, Lindstrom said.

Both SPI and Citadel stand to benefit as more enterprises look to bring vulnerability assessment and remediation technology in house, he said.