SPI Dynamics untangles Web app security with remote assessment tool

With the increased use of Web applications, businesses have had to peel back a layer in their perimeter defenses and give public network traffic access to internal applications. The result is a rise in network security problems, and an increase in the need to audit and thoroughly check publicly facing code for potential security vulnerabilities. Unfortunately, security expertise is in short supply.

WebInspect 3.0 from SPI Dynamics aims to fill that gap by automating the tasks necessary to perform security audits. WebInspect is a remote assessment tool, meaning that it performs its audits solely by means of the same HTTP calls to which an attacker would have access. Administrators can add custom checks to find problems that are specific to a particular application.

Setting WebInspect apart from similar tools available on the Internet is SecureBase, a database of more than 3,600 known security vulnerabilities and misconfiguration problems. This database is the heart of the WebInspect audit process. SecureBase is continually updated with new vulnerabilities. The tool updates its local copy of the database over the Internet as needed.

Overall, WebInspect gives organizations a simple, useful tool for building and operating secure Web services. The tool is easy to use and provides valuable feedback on Web-based system security. The information it presents on potential security problems is detailed, revealing not only which vulnerabilities exist but also how they work and how to protect against them.

Beginning users need to remember, however, that the tool needs to be tuned against the system it's inspecting so that the information it returns is targeted and accurate.

Setting up WebInspect is simple with the installation wizard. Running the tool entails just selecting the Scan Wizard and entering the URL of the system to be tested.

The tool works by first cataloging the site, then testing it for the vulnerabilities in its database on the basis of the site's structure. For small sites, this happens fairly quickly, but large sites can take many hours to assess.

The user interface is intuitive and easy to use. As a security scan progresses, the three panes show important information WebInspect is finding. The Site pane displays the results of the scan, building an explorer tree of the Web site. The Summary pane displays alerts on the vulnerabilities that WebInspect has found so far, along with general information about the Web site. The Information pane displays details on whatever is selected in the Site or Summary pane.

When an alert is selected, the Information pane provides a detailed description of the vulnerability, how it is executed, and known fixes. Other panels in the Information pane allow the HTTP request and response to be explored, as well a showing a browser window with the result of the exploitation.

Once the scan is done, WebInspect produces a number of PDF reports ranging from detailed to executive summaries. A detailed report lists each suspect vulnerability in the system, along with in-depth information on how the attack works and how to guard against it. The reports can be customized with specific logos and other front piece information.

In addition to scanning a single site, WebInspect provides options for scanning a range of IP addresses and a range of ports on those addresses. This is useful for identifying any Web servers running on those addresses, and anyone of those can subsequently be scanned for vulnerabilities.