WebInspect 6.0, like earlier versions, is designed to penetration-test custom-built web applications for common attack methods such as SQL injection and cross-site scripting.
The software attacks the application automatically, using a database of attacks, and can be supplemented by manual testing by SPI’s white-hats.
In 6.0, rather than simply running through a long database of attack signatures, the software is now smart enough to abandon lines of attack that earlier scans have proven would be ineffective.
For example, a hacker may attempt to inject some malicious JavaScript via an HTML form. To do so, The JavaScript would often be contained inside the less-than symbol, which is used to signify the opening of an HTML tag.
In the new WebInspect, the software would simply check whether the form has input validation that rejects the less-than symbol, or its encoded equivalents. If that symbol is filtered by validation, whole avenues of attack can be abandoned.
While the savings may appear small at first glance, on complex web applications, there could be thousands of input fields to run thousands of tests against, and it soon adds up.
We have one engagement right now where this web application has over one million pages, said SPI chief executive Brian Cohen. We worked out that it would take 75 days to scan it for vulnerabilities. And that’s just one scan.
A scan that would previously have taken three hours was reduced to 12 minutes in testing, chief technology officer Caleb Sima said.
SPI calls this functionality Intelligent Engines. The first one to be included in the software deals only with cross-site scripting attacks. Future updates will address other attack methods.
We’re embedding the way a hacker thinks into our products, Sima said. We’re modifying our attacks based on what works.
Sima said that it can also dramatically reduce false positives, which usually require manual oversight to eliminate, and can often run into the 15% to 20% range, to almost nothing.
Web application vulnerability testing is expected to be a growth market, with ever increasing numbers of applications being adapted for the browser, the rise of Ajax, and industry regulations.
The payment card industry mandates that web apps be secured is currently only affecting the very largest credit card-using merchants, but it is expected to hit more companies in time. For this reason, Visa is an investor in SPI.
