Saturday, June 19, 2021

SPI Lets ‘Phoenix’ Fly For Web Security

Mention Web application security to an IT administrator at most companies
and you may elicit a grimace. The growing tangle of dynamic Web 2.0
applications make it almost impossible for traditional bug scanners to catch
most Web vulnerabilities.

Recognizing this architectural challenge, SPI Dynamics created
Phoenix, a new Web application security architecture to analyze Web 2.0
applications and find previously undetectable Web flaws.

Erik Peterson, vice president of product management for SPI, said modern Web
applications built from technologies such as AJAX, RSS and Flash combine
client and server side processing and are therefore more complex.

SPI argues that current application scanners, including its current
WebInspect portfolio, are built on dated architectures developed in 2000.
Not surprisingly, they haven’t kept up with the evolution of Web
applications, so they don’t find newer security vulnerabilities.

This leads to high false negative rates, meaning the flaws aren’t being
detected by the software and the IT auditor has no idea something is wrong
until it’s too late.

“AJAX exploded and changed how Web applications are built and deployed,”
Peterson said, explaining the need for Phoenix. Hackers evolve from
hobbyists to professionals. It’s a billion-dollar industry for these folks
to be taking advantage of opportunities out there.

“The complete re-architecture of our product was necessary to keep at the
forefront of where the Web was going. We feel like it’s going to pay off
for us in spades.”

Phoenix will serve as the foundation of SPI’s security software going
forward, but the architecture has been employed first in WebInspect 7, the
company’s Web scanner.

WebInspect 7 assesses a Web service by discovering all XML input parameters
and performing parameter manipulation on each XML field looking for
vulnerabilities within the service.

The software exposes hidden application logic, revealing security flaws that
could not be found through automated security testing.

Peterson said WebInspect 7 is distinct from other Web scanners because it
includes simultaneous crawl and audit (SCA) and concurrent application
scanning.

These tools make the scanner faster and more accurate and performing these
tasks at the same time may cut flaw scan times in half or more. WebInspect 7
can also perform multiple concurrent scans to cover more ground on the Web
and in the computer network.

Moreover, the software boasts new automated checkpoints to eliminate
authentication issues for applications using two-factor authentication or
CAPTCHA (completely automated public Turing test to tell computers and
humans apart). WebInspect 7 can authenticate with secure Web applications
and determine when re-authentication is required.

WebInspect 7, which SPI will begin selling Feb. 14, supports IPv6
(define), a major requirement for future computing.

This article was first published on InternetNews.com. To read the full article, click here.

Similar articles

Latest Articles

3 AI Implementations That...

I was on a joint educational call for the World Talent Economic Economic forum on mobile computing this week. We drifted to topics that...

Survey of Site Reliability...

NEW YORK — Site reliability engineers (SREs) are warning of a looming scalability ceiling and saying the adoption of AIOps isn’t happening at a...

Druva Integrates sfApex to...

SUNNYVALE, Calif. — A maker of software for cloud data protection and management is helping companies safeguard essential customer data that their sales and...

Best Data Science Tools...

Data science has transformed our world. The ability to extract insights from enormous sets of structured and unstructured data has revolutionized numerous fields —...