Monday, June 18, 2007

Web application security test software reviews

Jordan Wiens is writing a series of "rolling reviews" on web application security testing software. First up on his plate is SPI Dynamics' WebInspect. You can find the full article here. He points out a high false positive rate, and that it had real issues with Ajax - neither of which surprise me. Any analyst who has been doing system vulnerability scans knows that false positives were (and at times still are) a fact of life - seeing those come up with web applications isn't a real surprise. In many ways, web application security testing feels like vulnerability scanning did a few years ago.

I'll be interested to see what direction the rest of the reviews take - most of the big names in web penetration and security testing still do a lot of manual work to inspect applications. In a business environment, particularly in a budget, skill, and time constrained environment, that may not work well.

Those limitations make the availability - and the accuracy and depth of tools like WebInspect - absolutely critical to custom application development processes. More and more organizations are adding security scans and testing into their development cycle.

One of my current goals is to find a way to easily put a good testing tool into the hands of developers that I work with. I'd like to see them able to take a good first pass at their own applications before running it past security for review - system administrators already have the ability to run vulnerability scans against their new servers and workstations, and that model has been helpful and is worth repeating.

Is that a complete solution to web application security? Definitely not. Will it put us in a better place than we were before we added testing to the development lifecycle? Definitely.

No comments: