Group test Penetration and vulnerability testing Julian Ashbourn reviews products capable of probing the network defenses of anything from a major e-commerce operation to a mom-and-pop grocery store www.scmagazine.com L ike a a security guard checking the locks on the entrances to a building penetration testing should be done by the security professional in order to make sure that the network is safe and secure and as free from potentially damaging flaws as possible. In terms of penetration and vulnerability testing you should recognize that any testing relates to the infrastructure in place at the time.If new software or components are introduced, the test becomes outdated and should be repeated.You should take a strategic view of this and conduct regular testing using your own in-house personnel, or use trusted third parties with proven expertise in penetration and vulnerability testing We shall look at products that help in this task and find out which tools are right for the job. WebInspect Supplier SPI Dynamics Price Developer versions from $795 per seat, other versions from $4,000 Contact www.spidynamics.com request and response, details of methods used, and more. The database of vulnerabilities is kept current via the Smart Update feature, and there is a Policy Manager where policies may be edited or created from scratch and agents can be created.You can also intuitively create virtually any report you can think of with a few mouse clicks.The reports are attractively formatted and easy to read. WebInspect is well considered. Everything is where you expect it to be and everything works. A powerful tool for evaluating websites and web-based applications and services. Julian Ashbourn he depth in which websites and web services are assessed by WebInspect and its clarity of vulnerability descriptions and suggested fixes is impressive. This is a great tool for those responsible for enterpriselevel websites and web services. WebInspect manages to be powerful and useful while remaining intuitive and easy to use. This is important as busy administrators want things up and running fast,but also want custom configuration as they become more experienced. Users will benefit from the builtin policy templates and powerful scanning while they learn how to best shape the tool to their own requirements.It starts with the Scan Wizard,which allows you to choose between a web assessment (as in T website URL), enterprise assessment (via a range of IP addresses), or web service assessment (via assessment of the WSDL file). Next you may choose a comprehensive scan to map out a sites tree structure for later analysis or a step mode approach which follows you as you manually navigate the site. An intuitive GUI shows vulnerabilities as they are discovered (in summary terms).It also provides an in-depth appraisal of each instance via the Information Pane, where there is a detailed description of the vulnerability in question with a recommended fix. The depth of this information varies according to the vulnerability found but it is often extensive. You can view the http SC MAGAZINE RATING Features Ease of use Performance Documentation Support Value for money OVERALL RATING FOR Ease of use, depth of scanning. AGAINST Very little. VERDICT A powerful tool for evaluating websites and web-based applications and services. SPI Dynamics 115 Perimeter Center Place N.E. Suite 270 Atlanta, GA 30346 PHONE: (678) 781-4800 FAX: (678) 781-4850 WEB: www.spidynamics.com EMAIL: sales@spidynamics.com FREE TRIAL OFFER:Test your web applications for vulnerabilities. Download a free trial of WebInspectTM at www.spidynamics.com/download.html. SC MAGAZINE June 2004