WebInspectTM Security Throughout the Application Lifecycle WebInspectTM is the most accurate and comprehensive automated Web application and Web services vulnerability assessment solution available today. With WebInspect, security professionals and compliance auditors can analyze the numerous Web applications and Web services in their environment quickly and easily. WebInspect combines Intelligent EnginesTM technology with frequent vulnerability updates for unmatched accuracy and speed. A Threat You Cannot Ignore Now, more than ever before, Web applications are a critical part of your business. Your employees, customers and partners prefer to do business online and trust that their transactions are secure. Your organization may have carefully protected its perimeter with intrusion detection systems and firewalls, but your firewalls have to keep Ports 80 and 443 (SSL) open in order to facilitate online business. These ports are an open door to hackers who have figured out thousands of ways to penetrate your Web applications and steal sensitive data. A Lifecycle Approach SPI Dynamics delivers a comprehensive solution which includes products and services that identify and remediate security vulnerabilities throughout the Web application lifecycle. Our solution fosters collaboration among developers, QA testers and security professionals. This approach significantly reduces the risk and expense typically associated with discovering vulnerabilities in production. By identifying vulnerabilities before applications are released to production and ensuring that no new vulnerabilities are introduced throughout the life of the application, trustworthy software becomes a reality. Start Secure. Stay Secure.TM Security Assurance Throughout the Application Lifecycle WebInspect - Overview Sophisticated Scanning n n n Web application and Web services assessments Multiple scan modes and scan settings to fit your environment Intelligent Engines technology reduces false positives and speeds up scanning Configurable scans include settings for handling complex Web sites Recursive crawling improves end results by feeding assessment data back into the scan as it is running SecureBaseTM, the industry's most comprehensive assessment database n n n n Interactive scans via easy-to-use wizard-driven interface Cutting-edge Technology n Integrated SPI Toolkit provides complete set of specialized analysis tools Scriptable capture enables repeatability by recording tests Industry standard AVDL Support SDK and Wizard for development of custom checks Extensible API enables easy 3rd party integration Support for AJAX-based Web applications While WebInspect's scan is in progress you can watch and interact via the sophisticated client interface. You can stop the scan to investigate an issue or drill down into a specific area while the scan continues. n n n n n Detailed Reporting and Compliance n n n High-level management reports Detailed reports for development and quality assurance Comprehensive reports for compliance with most major regulatory standards Trend analysis and security readiness reporting What We Check For SPI Dynamics assessment technology is one of the most comprehensive and accurate on the market. WebInspect checks for all of the following vulnerabilities. Parameter Injection Command Execution SQL Injection Cross-Site Scripting Directory Traversal Abnormal Input Parameter Overflow Buffer Overflow Parameter Addition Path Manipulation Path Truncation Character Encoding MS-DOS 8.3 Short Filename Character Stripping Client Certificate Support State Management Directory Enumeration Web Server Assessment HTTP Compliance WebDAV Compliance SSL Strength Certificate Analysis Content Investigation Spam Gateway Detection Client-Side Pricing Sensitive Developer Comments WebServer/Web Package Identification Absolute Path Detection Error Message Identification Permissions Assessment Brute Force Authentication attacks Known Attacks n Comprehensive Hacker Tools (SPI Toolkit) n Cookie Cruncher to analyze strength of cookies to avoid session hijacking Encoders/Decoders to translate different encryption standards HTTP Editor to create and edit HTTP requests Regex Tester to test regular expressions SOAP Editor to automatically generate and edit Web services SOAP requests SPI Fuzzer for HTTP fuzzing or modification of input variables to identify buffer overflows SPI Proxy to view every request and server response while browsing a site SQL Injector to extract data by executing SQL attacks WebBrute brute force tool to test strength of login forms or authentication pages WebDiscovery to identify and discover which Web servers and Web applications are behind which ports n n n n n n n n n Minimum System Requirements n n n n n n Site Search Application Mapping Crawl Automatic Form-Filling SSL Support Proxy Support 512 MB of RAM 150 MB of free disk space 1 GHz processor or better Microsoft .NET 1.1 SP1 An active Internet connection (for updates) Windows XP Professional SP2, Windows Server 2003 Standard SP1 Microsoft Internet Explorer 6.0 n How WebInspect helps you WebInspect is the most easy-to-use, extensible and accurate Web application security assessment product available today. WebInspect enables both the security professional and the security novice to identify critical, high-risk security vulnerabilities in their Web applications and Web services. Through WebInspect's intuitive, wizard-driven interface, you designate which application or Web service you want to analyze. You can also select which type of assessment to run and which security policy to use for each Web application assessment. Continuous Security Awareness WebInspect's sophisticated scanning capabilities automatically keep up with changing applications and complex security problems so that you don't have to. Our security experts add new vulnerability checks to our software daily. And, your organization can download the latest updates at any time through our SmartUpdate feature. WebInspect's scheduling capability offers you the flexibility to scan applications when it makes the most sense for your organization's business and network. Comprehensive, Accurate and Fast WebInspect includes a new patent-pending technology, Intelligent Engines that revolutionizes Web application assessments with unprecedented speed and accuracy. Using a structured logic-based approach to analyze the application, SPI Dynamics' patent-pending Intelligent Engines customize attacks based on each Web application's behavior and environment. This results in an automated penetration test that produces far fewer false positives and finds more vulnerabilities than ever before. WebInspect is unique in that it combines all of the industry's known Web application vulnerabilities in SPI Dynamics vulnerability database, SecureBase, with this sophisticated, ground-breaking Intelligent Engines technology. Support for Legal and Regulatory Compliance WebInspect includes detailed reports that show how your Web applications should change to meet most regulatory standards. In addition, you can create new policies or customize an existing one with the Policy and Compliance Editor. Policies are currently included for more than 20 laws, regulations and best practices including: n Easy-to-Use WebInspect is easy to configure and use. It requires no server-side installations and can be used remotely for Web application assessments. With WebInspect's wizard interface, users can easily run a fully automated Web application assessment and manually interact with it throughout the assessment process. Advanced users can initiate scans through the command line interface. Sarbanes-Oxley California SB 1386 Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) ISO 17799 VISA PCI Data Compliance OWASP Top 10 n n n n n Extensible WebInspect includes an API and other methods that enable you to extend the product's capabilities to meet your organization's specific needs. You can configure WebInspect to adapt to any Web application environment and use the custom check wizard to create custom attacks. The policy manager allows you to select and configure the exact attacks down to the check level. n Enterprise Integration WebInspect integrates with SPI Dynamics' Assessment Management PlatformTM (AMP) for enterprise-wide, distributed assessment capabilities. AMP provides a scalable organization-wide view of application security with centralized control over user permissions, security policies, and other facets of scanning administration. Sophisticated Reporting WebInspect includes a variety of pre-configured reports such as, C-level trend reports, detailed developer focused reports and pass/fail compliance reports that demonstrate the state of your organization's security posture. WebInspect also allows you to edit any aspect of the report and add custom notes or details as needed. WebInspect report data can be exported in a number of standard formats like XML, RTF and PDF. WebInspect Keeping Complex Environments Secure Security professionals have a tremendous responsibility ensuring that their Web applications are secure and not at risk to malicious attacks from hackers. This is a difficult job considering that hackers are constantly finding new ways around traditional defenses in order to break into Web applications and Web services. What's even more challenging is finding all the security issues and facilitating their resolution quickly in a technical environment that is constantly changing. While protecting assets and maintaining security awareness in this complex, fast-changing environment, security professionals must also be able to demonstrate the state of the organization's Web security and regulatory compliance. Why WebInspect? WebInspect, built on patented technology, is the only Web application assessment product that includes these unique capabilities: n Key Benefits n A flexible and configurable user interface that supports both the novice user and the advanced Web application tester SPI Dynamics' award winning assessment technology that is consistently updated to test for the latest Web application vulnerabilities SPI Toolkit hacker tools - the most advanced, flexible and comprehensive hacker tools available Intelligent Engine technology that can systematically identify attacks in Web applications with unmatched accuracy and speed Sophisticated graphical user interface that enables users to watch and interact with a scan as it is running Dramatically reduces organizational risk by detecting vulnerabilities with the most comprehensive and sophisticated approach to Web application assessment on the market Significantly reduces penetration testing time and budget through a consolidated, automated approach Improves security professional's influence with specific pre-configured reports for management, development and quality assurance Supports legal and regulatory compliance with reports for all major laws and regulations Saves security professionals time by automatically keeping up with the latest known vulnerabilities and hacker techniques Supports complicated sites such as those using JavaScript, Macromedia Flash or AJAX n n n n n n n n n About SPI Dynamics SPI Dynamics delivers a comprehensive suite of products and services that help to identify and remediate Web application and Web services security vulnerabilities found at key stages throughout the Web Application Lifecycle. SPI Dynamics solutions enable security professionals, QA testers, and developers to work together to assess, analyze, and remediate Web applications and Web services for security vulnerabilities, and verify compliance with over 20 security policies like SOX, HIPAA and PCI. The Company's unique approach of patent-pending Intelligent Engines technology combined with the largest Web application security vulnerability knowledgebase in the industry delivers unparalleled speed and accuracy. SPI Dynamics' research and development team, SPI Labs, is widely recognized as one of the world's leading authorities on Web application security and risk management. The Company has over 750 customers among Global 2000 enterprises, including over 70 U.S. Federal accounts, and has strategic partnerships with Microsoft, IBM, Mercury, CSC and Visa with Visa investing in the Company in 2005. SPI Dynamics is privately held with headquarters in Atlanta, Georgia. For more information on Web application security, visit www.spidynamics.com or call 1.866.774.2700. 115 Perimeter Center Place, Suite 1100, Atlanta, GA 30346 Tel: 1.866.774.2700 | Fax: 678.781.4850 | Email: info@spidynamics.com Copyright ©2006, SPI Dynamics Incorporated. All Rights Reserved. W60-072406