The Web application security market is maturing, and more companies are looking for tools to help them better secure their software. SPI Dynamics responded to that need this week with the announcement of two new products -- WebInspect 6.0 and DevInspect 2005.
More than that, Sima added, people now want tools that produce fewer false positives and give more accurate results. WebInspect 6.0 delivers that, he said. A Web application security assessment product, WebInspect 6.0 uses a newly developed Intelligent Engine to better determine a Web site's vulnerabilities.
"Today's scanning approaches are slow, produce a lot of false positives and are static. The tools send hundreds of attacks at an application to see if there are vulnerabilities and you get an overwhelming list of possibilities," Sima said. "With WebInspect 6.0, we're not hitting the site with hundreds of attacks. We have embedded intelligent engines and assess Web sites as a hacker would."
WebInspect 6.0 can send a custom attack based on what it learns about each Web application's behavior. It's a more intelligent way of using the database, Sima said.
To prove how fast and accurate WebInspect 6.0 is, Sima said the product reduced testing time from three hours to 12 minutes. Additionally, so far SPI Labs has yet to see any false positives in their XSS Intelligent Engine tests. "With more than 70 sites scanned, the new technology virtually eliminates false positives," he said.
DevInspect 2005 provides hybrid analysis
In terms of code analysis, SPI Dynamics has raised the bar with its hybrid analysis product -- DevInspect 2005. This application security tool combines source code analysis and black box testing in one product.
"It is the first and only tool that combines black box testing and source code analysis," Sima said. "With it you get more accurate results and a better assessment of vulnerabilities."
DevInspect can do that because by combining source code and dynamic analysis, it covers the entire attack surface of the application to accurately target remediation actions. Not only do you get results faster, but DevInspect prioritizes them for you so you know which to address first, Sima said.
The product further helps developers by telling them where the vulnerabilites are in the code and providing the correct code to rectify the problem.
"DevInspect has Secure Objects to help them do that," Sima said. "It has instant remediation capabilities. You can click the fix button, and it will show you the bad code and the repaired code. Click another button and the old code is repaired."
Sima said DevInspect is the only security software product to facilitate life cycle collaboration between development and operations. Operations teams benefit when their development teams use it and its Secure Objects technology to test and validate their applications in development.
DevInspect also has a self-defense mechanism. It supplements automated security monitoring by providing real-time information about application security events to operations teams by preventing and monitoring attack attempts.
"You can actually see as an attacker is doing something and send an alert or kick the person out immediately," Sima said. "This is the way applications should work."