Product roundup: New tools to ensure application security

Over the past month, several application security products have been announced. Here's a roundup of some of those new tools, including Parasoft's Jtest 8.0, SIFT's Web Method Search tool and WiKID 2.1.1.

This Content Component encountered an error

Over the past month, several application security products have been announced. Here's a roundup of some of those new tools, including Parasoft's Jtest 8.0, SIFT's Web Method Search tool and WiKID 2.1.1.


Parasoft releases Jtest 8.0

Parasoft Corp. announced the availability of a new release of Parasoft Jtest, a Java code analysis and unit-testing solution.

Jtest 8.0 features several industry-first testing technologies that help teams automatically verify the functionality of complex, constantly changing enterprise systems (Java EE, SOA/Web Services), delivering increased customer satisfaction by reducing risks of system downtime and security vulnerabilities. At the same time, teams are now able to find more bugs with their existing resources thereby increasing productivity while adhering to budget parameters.

New in Jtest 8 is Bug Detective. By automatically tracing and simulating execution paths, Bug Detective exposes runtime bugs that would be difficult and time consuming to find through manual testing or inspections. With Bug Detective, users can now find, diagnose, and fix classes of software errors that can evade coding standard analysis and unit testing.

In addition, Jtest 8 includes a new code review module that helps automate the review process to facilitate code review participation and communication, and consequently make code reviews more productive and practical for organizations. The module allows users to define and manage distribution lists and groupings for code review notifications and routings. This Code Review module will benefit distributed development teams who cannot logistically participate in physical code review sessions.

------------------------------------------------------------------

SIFT announces Web services testing tool

SIFT recently published a world-first tool for identifying rogue Web methods. The Web Method Search tool is a Windows-based application that uses a hybrid dictionary attack to find unpublished administrative and other Web services functions.

The product can be used to brute force the Web method names for a given Web service under certain circumstances. That is, SOAP requests can be submitted to a Web service using probable combinations of words to allow the identification of hidden Web methods not published in the corresponding WSDL document. This is possible because responses to requests for non-existent Web methods and Web methods that exist differ markedly under most platforms, the company said.

For more information and to download the tool, visit SIFT's Web site.

------------------------------------------------------------------

WiKID 2.1.1 released

WiKID Systems Inc. has released version 2.1.1 of its open source two-factor authentication system.

WiKID is a software-based two-factor authentication system that uses public-key encryption and a PIN to identify a user. New in this release is a host/mutual authentication mechanism for SSL-based Web sites.

As part of this release, the company is also releasing the following under the General Public License:

  • ASP code for end-user self validation. New users can provision their own WiKID token clients based on trusted LAN credentials, which in this case is Active Directory credentials. This code can easily be modified for other types of credentials.
  • The WiKID Citrix Web Interface plug-in. If you're using Citrix Web Interface for remote access, now you can add two-factor authentication quickly and easily.
  • The wAuth COM object and Java component. Network clients talk to the WiKID server using an SSL encrypted protocol -- wAuth. These objects can be used to integrate WiKID into any application.
  • The J2SE WiKID token client. The token client is responsible for key generation, domain management and one-time password requests. It can run on your PC, a suitable PDA or on a device such as a USB token.

You may download WiKID 2.1.1 from the Sourceforge project page.

------------------------------------------------------------------

Security Compass announces free source code analysis tool

Security Compass recently announced Securitycompass Web Application Analysis Tool (SWAAT), a free, static Web application source code analysis tool.

Currently a beta release, this .Net command-line tool searches through source code for potential vulnerabilities in Java and JSP, ASP.Net and PHP. It uses XML-based signature files to search for common functions and expression that may lead to exploits.

SWAAT helps to reduce the burden of source code review by identifying potentially dangerous functions and strings in code and explaining both how they may be dangerous and how to mitigate potential risks, the company said.

You may download SWAAT from Secure Compass' Web site.

------------------------------------------------------------------

JUMPERZ.NET releases manual Web application testing tool

JUMPERZ.NET has released Doorman@JUMPERZ.NET, a Graphic User Interface local HTTP/HTTPS proxy server tool for manual Web application testing.

Written in Java and published as Open Source, you can use Doorman@JUMPERZ.NET to intercept and modify HTTP requests and responses using breaks. And using filters, you can ignore certain traffic -- such as images.

You may download Doorman@JUMPERZ.NET from the company's Web site.

------------------------------------------------------------------

InterScout Web forensics tool released as freeware

Secure Science Corp. has been working on a Web forensic tool for use with investigating Apache and other Web logs (works mainly on *nix systems).

InterScout 1.0 is a free Web log analytics tool that acts as a Web log file analyzer as well as a real-time Web-based IDS specific to online fraud monitoring on Web servers.

InterScout 1.0.1 features the following:

  • Real-time email alert notification
  • Customize scripted action on alert notification
  • Pre-emptive detection of many phishing techniques
  • Customized signature development specific to your environment
  • Real-time and file-based Web log monitoring
  • Specifically designed to monitor online fraud against your servers

You can download the tool from the company's Web site.

Dig deeper on Software Security Test Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close