Core, Qualys to enter Web apps scanning market

The Web applications vulnerability testing market is about to get a little more crowded, as both Core Security and Qualys are entering the space with strategies to integrate the tools into their existing products and services.

On Tuesday, Core announced that it has added Web applications penetration testing to the latest version of Impact, its automated network and internal security scanning package.

Executives with Qualys, which markets hosted network vulnerability testing services, confirmed to InfoWorld that the company plans to begin offering its own Web applications scanning capabilities sometime during the first quarter of 2008.

In both cases, company leaders cited strong synergies with their existing business models and recent industry consolidation as drivers for jumping into the Web applications security segment.

Earlier this year, two of the largest players in the niche, Watchfire and SPI Dynamics, were acquired by IBM and HP, respectively.

And while both Watchfire and SPI continue to market their Web applications scanning technologies as their new parents integrate the tools into their larger software development platforms, executives with Core and Qualys contend that they have an opportunity to cash in on pent-up demand.

In Core Impact version 7.5, the company has added the ability for customers to search for security holes in Web applications and servers, and any databases sitting behind those systems, via SQL injection and remote file inclusion attack techniques.

The company said the new functions will be tightly integrated with the product's traditional features, which are used to probe for weaknesses in customers' external network defenses or internal employee security practices and launch proof-of-concept attacks that demonstrate how network or user-based vulnerabilities might be exploited by real attackers.

Extending Impact's ability to include Web applications testing is a natural fit for number of reasons, said Core Chief Executive Paul Paget.

"When we talk to customers today, they understand the process of crawling sites and fuzzing applications for weaknesses. But we can also give them the ability to auto-generate SQL injections and remote inclusion injections on the fly," said Paget. "The capability to create an exploit as we're carrying out penetration testing is a huge differentiator compared to what is out there. Once we compromise a server, we can plant our agent in the system and go deeper inside the network to illustrate just what real attackers would do."

Qualys CEO Philippe Courtot said his company's move into Web applications testing is a similarly natural evolution, both in terms of blending the capabilities into the vendor's existing network vulnerability scanning tools and in delivering the tests via its hosted software-as-a-service (SaaS) delivery model.

While IBM and HP are integrating their newly acquired vulnerability scanning technologies into their respective software platforms -- and thereby pushing developers to carry out additional testing before moving applications into production -- Courtot contends that the network security professionals already using Qualys' vulnerability testing services are actively looking for more tools to scan Web-based programs.