SPI Dynamics revamps Web application security management tool

By Jennette Mullaney, Assistant Editor 13 Mar 2007 | SearchSoftwareQuality.com

Software quality news and advice Digg This!     StumbleUpon     Del.icio.us

Web application security, never a simple task, is increasingly difficult to achieve in an Internet awash in irresponsibly applied Ajax and cross-site scripting (XSS) flaws. SPI Dynamics Inc. has designed its latest incarnation of Assessment Management Platform (AMP), version 3.0 with the Web 2.0 environment in mind.

"Web application security is evolving," said Jeff Morgan, AMP Product Manager at SPI Dynamics. Organizations are starting to move toward global teams, and more people -- such as QA professionals and developers -- are becoming part of the application security process. These and other security trends were integral to the development of AMP 3.0, a comprehensive, scalable security management tool.

It's not just about finding issues. It's about talking to people who can fix the process. Jeff Morgan AMP Product Manager, SPI Dynamics

AMP 3.0 has many advantages over its predecessor. Communication is easier and more secure, risk management better reflects the customer's priorities, and everything is further integrated into the software development life cycle (SDLC).

A customizable Web-based user interface (UI) allows users to interact with team members wherever they happen to be. And vulnerability reports can be created and delivered safely and efficiently, reaching team members across the globe. As outsourcing becomes a common practice, this feature takes on greater importance. Ensuring the security of these reports is crucial.

"The report becomes a liability," noted Morgan. In AMP 3.0, Web-based reports are stored in the database, the URL is sent to the appropriate people, and only those who are authorized may use the report -- login is required.

"We have very granular controls on who can see what," Morgan said. "Through the Web UI we've enforced that control. You won't be able to circumvent the system."

However, the UI allows authorized users to share a great deal of information. Each user can customize his UI, adding filters or tabs and creating groups. Users can collaborate with one another or assess results for themselves.

"It's not just about finding issues," Morgan added. "It's about talking to people who can fix the process. If they need to see the information...you can simply point them to the UI."

Communication between groups that don't necessarily speak the same language, such as security professionals and developers, is facilitated through the templates in AMP.

"The security professional can create the template nitty-gritty and provide a template for non-security professionals," Morgan said. The template is sent to the development team, which executes the scans. Bugs are caught in development, developers are free to do their jobs and the vulnerability scans contain the expertise of security professionals.

And AMP architecture allows scans to be sent throughout the globe, crossing geographical boundaries and firewalls. Security professionals can access secure scan targets and AMP centers and complete work on the road.

Web application security Web application security testing reaches new level  I don't want a Web application security product; I want a solution

AMP 3.0 has improved risk management though a proactive risk weighting system. "A site that's just a brochure shouldn't have the same weight as one that handles customer information," Morgan pointed out. The sites may have the same number of vulnerabilities but, depending on their overall risk to the company, their risk score will be different. And when a company manages thousands of applications, the benefit may be substantial.

AMP 3.0 is built upon SPI Dynamics' Phoenix architecture, a system created to handle the rich applications of Web 2.0. SPI Dynamics' WebInspect and QAInspect are fully integrated with AMP 3.0. The dashboard feature allows for a great deal of configurability. If you'd like to display another defect tracking system you can, Morgan said.

AMP 3.0 will ship March 15. Prices begin at $60,000. For more information, visit SPI Dynamics' Web site.

Tags: Communication and collaboration tools,  Software quality management,  Building security into the SDLC (Software development life cycle),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Communication and collaboration tools How to get management on board with Web 2.0 security issues New IBM Rational, Tivoli integrated tools pair development with IT Mobile, Web app QA testing tips for handling operating system changes Optimizing project management using text messaging, IMs, and Skype VMLogix adds support for testing in the cloud Dax Fahring, senior product manager, Electric Cloud Jan Stafford checks out new products at JavaOne 2009 What are the traits of a successful project manager? Keep software projects moving even during holidays Virtual environments ease software development, testing Software quality management VisibleThread aims to boost IT documentation quality, improve processes Winning responses to "Why is QA always the bottleneck?" Using virtual lab management tools to stop developer, QA conflicts VMLogix LabManager adds support for vSphere 4, Hyper-V R2 Surgient 7's self-provisioning promises software testers quick IT resource access Transitioning from AJAX to .NET what changes to expect in RIA's The QA team's role in application performance evaluation and management Adaptation in project management through agile Budget-friendly Web app performance testing, monitoring tips New requirements definition tools focus on chronic flaws Building security into the SDLC (Software development life cycle) Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step The role of quality assurance (QA) pros in software security Common software security risks and oversights Why the quality assurance department should be involved in testing How to develop secure applications Secure software development practices 'not rocket science'

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary collaboration diagram  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary