SPI Dynamics untangles Web app security with remote assessment tool

With the increased use of Web applications, businesses have had to peel back a layer in their perimeter defenses and give public network traffic access to internal applications. The result is a rise in network security problems, and an increase in the need to audit and thoroughly check publicly facing code for potential security vulnerabilities. Unfortunately, security expertise is in short supply.

WebInspect 3.0 from SPI Dynamics aims to fill that gap by automating the tasks necessary to perform security audits. WebInspect is a remote assessment tool, meaning that it performs its audits solely by means of the same HTTP calls to which an attacker would have access. Administrators can add custom checks to find problems that are specific to a particular application.

Setting WebInspect apart from similar tools available on the Internet is SecureBase, a database of more than 3,600 known security vulnerabilities and misconfiguration problems. This database is the heart of the WebInspect audit process. SecureBase is continually updated with new vulnerabilities. The tool updates its local copy of the database over the Internet as needed.

Overall, WebInspect gives organizations a simple, useful tool for building and operating secure Web services. The tool is easy to use and provides valuable feedback on Web-based system security. The information it presents on potential security problems is detailed, revealing not only which vulnerabilities exist but also how they work and how to protect against them.

Beginning users need to remember, however, that the tool needs to be tuned against the system it’s inspecting so that the information it returns is targeted and accurate.

Setting up WebInspect is simple with the installation wizard. Running the tool entails just selecting the Scan Wizard and entering the URL of the system to be tested.

The tool works by first cataloging the site, then testing it for the vulnerabilities in its database on the basis of the site’s structure. For small sites, this happens fairly quickly, but large sites can take many hours to assess.

The user interface is intuitive and easy to use. As a security scan progresses, the three panes show important information WebInspect is finding. The Site pane displays the results of the scan, building an explorer tree of the Web site. The Summary pane displays alerts on the vulnerabilities that WebInspect has found so far, along with general information about the Web site. The Information pane displays details on whatever is selected in the Site or Summary pane.

When an alert is selected, the Information pane provides a detailed description of the vulnerability, how it is executed, and known fixes. Other panels in the Information pane allow the HTTP request and response to be explored, as well a showing a browser window with the result of the exploitation.

Once the scan is done, WebInspect produces a number of PDF reports ranging from detailed to executive summaries. A detailed report lists each suspect vulnerability in the system, along with in-depth information on how the attack works and how to guard against it. The reports can be customized with specific logos and other front piece information.

In addition to scanning a single site, WebInspect provides options for scanning a range of IP addresses and a range of ports on those addresses. This is useful for identifying any Web servers running on those addresses, and anyone of those can subsequently be scanned for vulnerabilities.

When people discuss Web services security, most of the discussion quickly turns to encryption and authentication. Most never stop to think that the biggest threat to security is the Web service itself. Many Web services expose the API of a legacy application, one that was never designed to run on anything but a trusted network.

To address this issue, another option in the Scan Wizard takes the URL of a WSDL file and tests the Web service described therein for security problems. WebInspect reads the WSDL file and performs a number of automatic audits, such as assessments of input and output parameters, the effects of malformed data, and common SOAP attacks, including some that allow arbitrary command execution.

Suitable for all audiences

WebInspect is aimed at four audiences. The first line of defense is the developers themselves. By customizing WebInspect and training developers in its use, a security expert can provide the development staff with a tool for testing their applications for security vulnerabilities.

The second audience is the quality assurance team, which can use WebInspect to test a preproduction application before it is rolled out.

The third audience is the operations group, which can use WebInspect in scheduled security audits of production code. The tool provides some specific features for use as an operational audit tool, including the capability of running autonomously and of scaling back the tests’ aggressiveness to prevent overwhelming the system being audited.

The final audience is security auditors who are called upon to verify the security of the company’s networks and IT systems. An often overlooked problem of security auditors is their neglect of important security problems due to their lack of a developer’s application knowledge. A tool such as WebInspect catalogs the components and layout of the Web application, giving the security auditor a peek under the covers.

Accuracy requires expertise

As it should, WebInspect points out security vulnerabilities that might be present when it can’t make a clean determination of their existence. An up-to-date vulnerability database such as SecureBase helps reduce the number of these false positives, but it can’t eliminate them altogether. WebInspect can also be customized for particular projects to reduce or eliminate false positives, but security experts need to help with this task before turning the tool over to developers and operations engineers. Eliminating false positives requires considerable understanding of a particular Web application and its environment, and then applying that understanding to guide the tool in its audit.

WebInspect is not a replacement for a real understanding of Web application security. Even so, as a tool for codifying and applying that knowledge, WebInspect provides real value to the overworked security expert who needs to spread the responsibility for Web application to the development, testing, and operations staffs. Companies interested in securing their Web applications should require the use of WebInspect in their development activities and consider periodic audits of their production servers as well.