Web application security, never a simple task, is increasingly difficult to achieve in an Internet awash in irresponsibly applied Ajax and cross-site scripting (XSS) flaws. SPI Dynamics Inc. has designed its latest incarnation of Assessment Management Platform (AMP), version 3.0 with the Web 2.0 environment in mind.
"Web application security is evolving," said Jeff Morgan, AMP Product Manager at SPI Dynamics. Organizations are starting to move toward global teams, and more people -- such as QA professionals and developers -- are becoming part of the application security process. These and other security trends were integral to the development of AMP 3.0, a comprehensive, scalable security management tool.
AMP 3.0 has many advantages over its predecessor. Communication is easier and more secure, risk management better reflects the customer's priorities, and everything is further integrated into the software development life cycle (SDLC).
A customizable Web-based user interface (UI) allows users to interact with team members wherever they happen to be. And vulnerability reports can be created and delivered safely and efficiently, reaching team members across the globe. As outsourcing becomes a common practice, this feature takes on greater importance. Ensuring the security of these reports is crucial.
"The report becomes a liability," noted Morgan. In AMP 3.0, Web-based reports are stored in the database, the URL is sent to the appropriate people, and only those who are authorized may use the report -- login is required.
"We have very granular controls on who can see what," Morgan said. "Through the Web UI we've enforced that control. You won't be able to circumvent the system."
However, the UI allows authorized users to share a great deal of information. Each user can customize his UI, adding filters or tabs and creating groups. Users can collaborate with one another or assess results for themselves.
"It's not just about finding issues," Morgan added. "It's about talking to people who can fix the process. If they need to see the information...you can simply point them to the UI."
Communication between groups that don't necessarily speak the same language, such as security professionals and developers, is facilitated through the templates in AMP.
"The security professional can create the template nitty-gritty and provide a template for non-security professionals," Morgan said. The template is sent to the development team, which executes the scans. Bugs are caught in development, developers are free to do their jobs and the vulnerability scans contain the expertise of security professionals.
And AMP architecture allows scans to be sent throughout the globe, crossing geographical boundaries and firewalls. Security professionals can access secure scan targets and AMP centers and complete work on the road.
AMP 3.0 has improved risk management though a proactive risk weighting system. "A site that's just a brochure shouldn't have the same weight as one that handles customer information," Morgan pointed out. The sites may have the same number of vulnerabilities but, depending on their overall risk to the company, their risk score will be different. And when a company manages thousands of applications, the benefit may be substantial.
AMP 3.0 is built upon SPI Dynamics' Phoenix architecture, a system created to handle the rich applications of Web 2.0. SPI Dynamics' WebInspect and QAInspect are fully integrated with AMP 3.0. The dashboard feature allows for a great deal of configurability. If you'd like to display another defect tracking system you can, Morgan said.
AMP 3.0 will ship March 15. Prices begin at $60,000. For more information, visit SPI Dynamics' Web site.