QAInspect Security Throughout the Application Lifecycle For IBM Rational Software Development Platform (SDP - ClearQuest and Functional Tester) SPI Dynamics' QAInspect products enable QA professionals to incorporate fully automated Web application security testing into the overall test management process without the need for specialized security knowledge and without the risk of slowing aggressive product release schedules. Now, IBM Rational Software Development Platform (SDP) users can conduct and manage both functional testing and security testing from a single platform. Standardizing Security as part of the Testing Process With more than one million new Web applications being launched each month and successful hacker attacks in the news each week, application security is no longer an afterthought. Organizations now realize that security must be a priority during development. With an increased focus on application security, security and operations professionals are identifying security vulnerabilities in production Web applications. These vulnerabilities are usually traced to defects in the source code. Once vulnerabilities are discovered and traced to source code, security and operations professionals assign these defects back to development for remediation. As a result, development and quality assurance organizations are learning that Web application security vulnerabilities must be treated like any other software defect. QA professionals know they can save time and money by identifying these security defects early in the software lifecycle-long before Web applications are deployed in production environments. However, most quality assurance professionals are not security experts and are looking for tools to help them find and fix security defects within their existing process and tools. A Lifecycle Approach SPI Dynamics delivers a comprehensive solution which includes products and services that identify and remediate security vulnerabilities throughout the Web application lifecycle. Our solution fosters collaboration among developers, QA testers and security professionals. This approach significantly reduces the risk and expense typically associated with discovering vulnerabilities in production. By identifying vulnerabilities before applications are released to production and ensuring that no new vulnerabilities are introduced throughout the life of the application, trustworthy software becomes a reality. Start Secure. Stay Secure.TM Security Assurance Throughout the Application Lifecycle QAInspect - Comprehensive Security Test Management QAInspect applies the most innovative techniques to identify security defects from the hacker's perspective. QAInspect reports on those vulnerabilities with detailed security knowledge in a way that Quality Assurance professionals can understand with a concise prioritized list of vulnerabilities and thorough vulnerability descriptions. Analysis results yield detailed information on the types of attacks possible, such as Cross-Site Scripting (XSS) or SQL Injection as well as on compliance issues related to regulations like SOX, HIPAA and PCI. Security, a requirement in the testing process Software Lifecycle CODE PLAN REQUIREMENTS DESIGN UNIT TEST QA/SYSTEM TEST PRODUCT RELEASE Use QAInspect to find vulnerabilities in specific usage scenarios or pages during the Initial QA process, prior to the entire application being ready for System Test. Once the entire application is ready for System Test, use QAInspect again to verify that existing vulnerabilities have been fixed and to ensure that no new ones have been introduced. Overall Benefits Secure, high-quality software: By incorporating security testing into the overall test management process, you can manage functional, and security testing from a single platform. This allows you to deliver quality applications on schedule at the lowest possible cost. Ease of use: Only QAInspect completely integrates with IBM Rational SDP testing products to enable QA professionals to easily conduct and manage security testing in tandem with functional and performance testing. Integrated defect reporting: Security defects are reported alongside functional defects in IBM Rational ClearQuest, allowing you to detect and eliminate security bugs during the development and QA phases of the application development lifecycle. Concise prioritized vulnerabilities: All QAInspect products quickly find vulnerabilities and automatically prioritize them based on business risk. Security expert knowledgebase: SPI Dynamics is recognized as the leading web application security company. Our security experts at SPI Labs find and capture all known security vulnerabilities and build that expertise directly into SecureBase, the leading knowledgebase of security vulnerabilities and best practices for fixing them. QAInspect's SmartUpdate feature automatically updates the product with the latest vulnerability checks from SPI Labs. Comprehensive vulnerability reporting: All versions have comprehensive reports that provide detailed descriptions of security defects including: the potential business impact if the security defect is exploited, its possible severity, remediation information necessary to resolve the defect, and references for additional research. Supports regulatory compliance efforts: Both products can be used to track and report progress on security compliance for laws, regulations and best practices like Sarbanes Oxley, HIPAA, PCI, OWASP and ISO 17799. QAInspect Application Security for Quality Assurance Tight integration with IBM Rational Software Development Platform (SDP) QAInspect is tightly integrated with IBM Rational ClearQuest and Functional Tester, allowing QA professionals to analyze Web applications within their existing testing framework. QAInspect Enterprise enables QA professionals to plan, configure, execute and manage automated Web application security testing from within IBM Rational ClearQuest environment. This allows QA professionals to easily leverage existing IBM Rational ClearQuest features for their security tests. QAInspect Enterprise integrates with IBM Rational ClearQuest allowing users to select QAInspect as a test type directly inside the ClearQuest user interface. A user can easily configure a security test using ClearQuest once the QAInspect test type is selected. QAInspect Enterprise finds and prioritizes the security vulnerabilities in an entire Web application during testing and presents detailed information and remediation advice about each vulnerability, all within the IBM Rational ClearQuest environment. QAInspect Application Security for Quality Assurance System Requirements Client Requirements (Rational ClearQuest) n 512 MB of memory An active Internet connection XP with SP2 or Server 2003 with SP1 n 2 GB of free space preferred (150 MB required) Pentium 4, 1 GHz processor or higher Microsoft .NET 2.0 Framework n n n n "The growing complexity of web application development and the increased focus on application security has created the need for an integrated security testing solution that spans the entire application lifecycle. Providing a platform to assist QA testing teams during the security defect removal process and before applications reach production, offers significant ROI for our organization." Edward Liebig Chief Information Security Officer Manulife USA About SPI Dynamics SPI Dynamics delivers a comprehensive suite of products and services that help to identify and remediate Web application and Web services security vulnerabilities found at key stages throughout the Web Application Lifecycle. SPI Dynamics solutions enable security professionals, QA testers, and developers to work together to assess, analyze, and remediate Web applications and Web services for security vulnerabilities, and verify compliance with over 20 security policies like SOX, HIPAA and PCI. The Company's unique approach of patent-pending Intelligent EnginesTM technology combined with the largest Web application security vulnerability knowledgebase in the industry delivers unparalleled speed and accuracy. SPI Dynamics' research and development team, SPI Labs, is widely recognized as one of the world's leading authorities on Web application security and risk management. The Company has over 750 customers among Global 2000 enterprises, including over 70 U.S. Federal accounts, and has strategic partnerships with Microsoft, IBM, Mercury, CSC and Visa with Visa investing in the Company in 2005. SPI Dynamics is privately held with headquarters in Atlanta, Georgia. For more information on Web application security, visit www.spidynamics.com or call 1.866.774.2700. 115 Perimeter Center Place, Suite 1100, Atlanta, GA 30346 Tel: 1.866.774.2700 | Fax: 678.781.4850 | Email: info@spidynamics.com Copyright ©2006, SPI Dynamics Incorporated. All Rights Reserved. QIBM-080106