Find, Fix and Protect with DevInspect

DevInspectTM simplifies security for developers by automatically finding and fixing application security defects and enabling developers to build secure Web applications and Web services quickly and easily, without impacting schedules or requiring security expertise.

Developing Secure Applications
With more than one million new Web applications being launched each month and successful hacker attacks in the news each week, application security is no longer an afterthought. Organizations now realize that security must be a priority during development. With an increased focus on application security, operations and security professionals are identifying security vulnerabilities in Web applications in production. These vulnerabilities are usually traced to defects in the source code. Once vulnerabilities are discovered and traced to source code, security and operations professionals assign these defects back to development for remediation. As a result, developers are learning that Web application security vulnerabilities must be treated like any other software defect. Development organizations know they can save time and money by identifying and correcting these security defects early in the development process -- long before Web applications are deployed in production environments. However, most developers are not security experts and are looking for tools to help them find and fix security defects.

A Lifecycle Approach
SPI Dynamics delivers a comprehensive solution which includes products and services that identify and remediate security vulnerabilities throughout the Web application lifecycle. Our solution fosters collaboration among developers, QA testers and security professionals. This approach significantly reduces the risk and expense typically associated with discovering vulnerabilities in production. By identifying vulnerabilities before applications are released to production and ensuring that no new vulnerabilities are introduced throughout the life of the application, trustworthy software becomes a reality.

Start Secure. Stay Secure.TM Security Assurance Throughout the Application Lifecycle

DevInspect - Find and Fix Security Defects

Find, Fix and Protect
DevInspect accelerates the construction and delivery of secure Web applications and Web services by finding and fixing security vulnerabilities during the development process and then protecting applications after deployment. DevInspect applies the most innovative vulnerability analysis and remediation techniques available to pinpoint and correct security defects before they are released into production where they can expose your assets to serious threats.

DevInspect finds application vulnerabilities in Web applications and Web services through a comprehensive security assessment. DevInspect analyzes application security through an innovative hybrid analysis that combines the power of black box testing and static source code analysis.

Find Vulnerabilities with Unmatched Accuracy and Precision SPI Dynamics' unique patent-pending Hybrid AnalysisTM approach combines black box testing with source code analysis to reduce false positives and find more vulnerabilities during development. The source code analysis phase discovers the application's attack surface and identifies all potential inputs that could potentially be exploited. The black box testing phase uses the intelligence gleaned from the source code analysis to execute a series of attacks using automated hacking techniques that eliminate false positives and yield the actual exploitable security vulnerabilities in the application Automatically Fix Vulnerabilities with SecureObjectsTM DevInspect is the only security product available that automatically fixes security defects. DevInspect's SecureObjects security vulnerability remediation technology enables a developer to write secure code from the beginning and harden their applications against attack. SecureObjects automatically fixes security defects by pinpointing the vulnerable code and applying secure code to reduce the application's attack surface. Developers maintain total control of the fixes through the option to automatically correct their code using the secure coding library or by using the advice and examples to correct it themselves. SecureObjects also locks down Web application configuration settings to prevent attacks after deployment. Protect Deployed Applications SecureObjects continues protecting an application after deployment by detecting and preventing attacks. SecureObjects prevents malicious input from penetrating an application and recognizes attack patterns to actively detect and prevent successful hack attempts. Security event logging captures attempted attacks so that security and operations

professionals can take action to protect assets. By applying SecureObjects, developers can prevent high risk Web application attacks in production, including SQL Injection, Cross Site Scripting (XSS), Buffer Overflows and Directory Transversal attacks. Educate Developers by Sharing Knowledge and Data DevInspect offers pre-packaged Web application security expertise. Developers improve their security expertise while securing their applications with DevInspect through SecureBaseTM, the leading knowledgebase of security vulnerabilities and best practices for fixing them. SPI Dynamics is the recognized leader in Web application security and our security experts at SPI Labs find and capture all known security vulnerabilities. DevInspect is the only developer security product that includes daily vulnerability check and description updates. Visual Studio Integration DevInspect features the deepest and most intuitive Visual Studio integration available in the security industry. DevInspect is designed to fit naturally with the way a developer works everyday so that secure development becomes as familiar as coding and unit testing. Developers can secure their application and improve their security expertise during any phase of development without ever leaving the Visual Studio IDE.

DevInspect - Overview
What DevInspect checks for
Arbitrary Command Execution Authentication & Authorization Evasion Backdoor Inputs and Exposure Buffer Overflows Cross-Site Scripting Data Theft Directory Listing, Enumeration Extension Checking Identity Spoofing Insecure Configuration Malicious File Uploading One-Click Attacks Parameter Manipulation Session Hijacking SOAP Injection SQL Injection Unwanted File Disclosure XML Injection

DevInspect's SecureObjects vulnerability remediation technology identifies the vulnerability and automatically applies targeted fixes directly to the source code. Developers maintain total control over the security fixes through extended properties.

Accurate and precise security assessment technology Comprehensive security assessment of Web applications and Web services Combines black box testing and source code analysis, a unique Hybrid Analysis approach, for unmatched results confidence Analyzes security of application configuration Vulnerability risk ratings based on impact and probability Real-time security view of an application Daily vulnerability updates through SmartUpdate from expert security researchers at SPI Labs Find vulnerabilities exposed through third-party components Advanced script parsing and interpreting for JavaScript, VB Script, Flash Flexible security analysis options Analyze entire application or individual pages Automated or step-mode scans Customizable security policies Supports creation of custom vulnerability checks Configurable scan options Complements Visual Studio code analysis SecureObjects vulnerability remediation technology Pinpoints area of vulnerability in the application Automatically fixes vulnerable code Identifies and secures all application inputs, hidden and exposed Corrects insecure application configuration Fixes vulnerabilities exposed through third-party components Secure coding library for new development

Application self-defense Secure input validation combines white list and black list validation Detects and prevents several types of attacks, including SQL injection, Cross-site scripting, buffer overflow Security event logging informs operations through ASP.NET health monitoring when attacks are detected BruteProtector control protects from brute force attacks Security education for developers Detailed vulnerability description and exploit information Share security data between developers In-depth vulnerability reporting Visual Studio Integration Deeply integrated with Visual Studio 2005 and Visual Studio .NET 2003 Specifically built for securing ASP.NET applications Supports C#, Visual Basic, HTML, XML, SOAP, WSDL, JavaScript, VB Script

DevInspect System Requirements
512 MB of RAM 150 MB required (2 GB of free disk space preferred) 1 GHz processor or better Microsoft .NET 2.0 An active Internet connection (for updates) Internet Explorer 6.0 Microsoft SQL Server Express SP1 Microsoft Visual StudioTM 2005 Windows XP Professional SP2, Windows Server 2003 Standard SP1

Simplified Security for Developers
Security vulnerabilities are like any other software defect once they leave development. DevInspect helps your organization save time and money by finding security defects early, fixing them quickly and preventing potential attacks in production.

Why DevInspect?
DevInspect is the only developer security product that offers these innovative capabilities. Finds security vulnerabilities through unique Hybrid Analysis technique that combines black box testing and source code analysis for unmatched accuracy and precision. Automatically fixes security vulnerabilities in application code and configuration with SecureObjects vulnerability remediation technology. Protects applications in production by preventing malicious input, detecting attacks in real time and informing operations teams of attack attempts. Daily updates of vulnerability checks and information from expert security researchers.

Key Benefits
Dramatically reduce organizational risk with the most accurate and precise approach to Web application testing for developers on the market. Eliminate the time and expense associated with fixing security defects in applications that are already in production by catching them during development and fixing them quickly and easily. Improve communication and security awareness between development and security departments. Educate developers about security with minimal investment.

"Security at the application level is one of the greatest technical challenges facing IT organizations. Evolutionary technologies will not be embraced until security problems are solved. Security vulnerabilities must be viewed and treated as defects and applications must be built securely from the beginning. This translates to the need for a comprehensive plan for addressing security throughout the software development life cycle. Having security at the start is crucial. Having the proper processes along with the right technology is critical." Theresa Lanowitz Research Director, Gartner, Inc.

About SPI Dynamics
SPI Dynamics delivers a comprehensive suite of products and services that help to identify and remediate Web application and Web services security vulnerabilities found at key stages throughout the Web Application Lifecycle. SPI Dynamics solutions enable security professionals, QA testers, and developers to work together to assess, analyze, and remediate Web applications and Web services for security vulnerabilities, and verify compliance with over 20 security policies like SOX, HIPAA and PCI. The Company's unique approach of patent-pending Intelligent Engines technology combined with the largest Web application security vulnerability knowledgebase in the industry delivers unparalleled speed and accuracy. SPI Dynamics' research and development team, SPI Labs, is widely recognized as one of the world's leading authorities on Web application security and risk management. The Company has over 750 customers among Global 2000 enterprises, including over 70 U.S. Federal accounts, and has strategic partnerships with Microsoft, IBM, Mercury, CSC and Visa with Visa investing in the Company in 2005. SPI Dynamics is privately held with headquarters in Atlanta, Georgia. For more information on Web application security, visit www.spidynamics.com or call (1.866) 774-2700.

115 Perimeter Center Place, Suite 1100, Atlanta, GA 30346 Tel: 1.866.774.2700 | Fax: 678.781.4850 | Email: info@spidynamics.com

Copyright ©2006, SPI Dynamics Incorporated. All Rights Reserved.
D05-072406