You can't secure what you don't acknowledge.SM

Wednesday, April 1, 2009

WebInspect - the Mac Daddy Web app scanner?

I've recently covered two of my favorite, yet lesser-known, Web vulnerability scanners: Acunetix Web Vulnerability Scanner and N-Stalker Web Application Security Scanner. Two worthy products indeed. Now I'd like to shed some light on HP's WebInspect.

I've been using WebInspect since before testing Web sites/apps was cool. In fact, WebInspect was one the original commercial Web scanners. It may have even been the first. Anyway, I started a relationship with the folks at S.P.I Dynamics back in 2001 when I was working for an B2B marketplace startup. What a great bunch of people to know and work with. Many of those folks have since jumped ship since they were acquired by HP. :|

The good news is that the acquisition has not bastardized the product like I assumed it might when I first heard about HP coming into the picture. [sidenote]I used to work for HP and it was a great company so I had some confidence that they'd do the right thing...but you never know what the corporate monster's next move is.[/sidenote]

Anyway, without going into too much detail, I've found that WebInspect consistently finds the key Web vulnerabilities you need to know about. It's not going to find everything - no scanner does like I talked about here. But it does tend to find vulnerabilities that no other tool - or manual analysis - can find. Well, except for a few here and there that slide by. This is why I've reached a point in my career that I'm realizing using multiple tools can be your security saving grace.

WebInspect also has a good toolset that they used to charge extra for it but it's now bundled in. The following screenshot shows the basic interface of WebInspect 7 (which has since been "fixed" in WebInspect 8 just released today) along with the toolset:


I'm not at a point at the moment to show you their latest incarnation of WebInspect - version 8 - but I'll see if I can't show some screenshots in a follow-up posting. I will say that I've been pleased to see what they've done with it. I'm loving the interface. Also, WebInspect can now perform static analysis on Flash and has *much* improved reporting (which has been kind of a pain up to this point). They've also improved the macro recording and JavaScript handling which should help speed up the security scan process - two other sticking points with the product for me in the past.

WebInspect is not without its flaws or shortcomings...No security testing tool is perfect. Probably the biggest grip I have about it is the Web Brute password cracking tool. I'm still waiting for it to live up to its name (it's a dictionary cracking tool - not a brute-force tool as the name implies). Makes you appreciate what HooBie accomplished with Brutus "way" back in 1998! As with any product (or relationship for that matter) the wise adult learns to live with it and stays focused on the positive side of things. :-)

That said, if you're looking for a leader in the Web security scanner space and can justify the investment definitely check out WebInspect.

2 comments:

  1. Hey Kevin, Nice write up.. if your going to be out at RSA give me a shout.
    Caleb

    ReplyDelete