Recognizing this architectural challenge, SPI Dynamics created Phoenix, a new Web application security architecture to analyze Web 2.0 applications and find previously undetectable Web flaws.
Erik Peterson, vice president of product management for SPI, said modern Web applications built from technologies such as AJAX, RSS and Flash combine client and server side processing and are therefore more complex.
SPI argues that current application scanners, including its current WebInspect portfolio, are built on dated architectures developed in 2000. Not surprisingly, they haven't kept up with the evolution of Web applications, so they don't find newer security vulnerabilities.
This leads to high false negative rates, meaning the flaws aren't being detected by the software and the IT auditor has no idea something is wrong until it's too late.
"AJAX exploded and changed how Web applications are built and deployed," Peterson said, explaining the need for Phoenix. Hackers evolve from hobbyists to professionals. It's a billion-dollar industry for these folks to be taking advantage of opportunities out there.
"The complete re-architecture of our product was necessary to keep at the forefront of where the Web was going. We feel like it's going to pay off for us in spades."
Phoenix will serve as the foundation of SPI's security software going forward, but the architecture has been employed first in WebInspect 7, the company's Web scanner.
WebInspect 7 assesses a Web service by discovering all XML input parameters and performing parameter manipulation on each XML field looking for vulnerabilities within the service.
The software exposes hidden application logic, revealing security flaws that could not be found through automated security testing.
Peterson said WebInspect 7 is distinct from other Web scanners because it includes simultaneous crawl and audit (SCA) and concurrent application scanning.
These tools make the scanner faster and more accurate and performing these tasks at the same time may cut flaw scan times in half or more. WebInspect 7 can also perform multiple concurrent scans to cover more ground on the Web and in the computer network.
Moreover, the software boasts new automated checkpoints to eliminate authentication issues for applications using two-factor authentication or CAPTCHA (completely automated public Turing test to tell computers and humans apart). WebInspect 7 can authenticate with secure Web applications and determine when re-authentication is required.
WebInspect 7, which SPI will begin selling Feb. 14, supports IPv6 (define), a major requirement for future computing.