Friday, August 1, 2008

WebApp Security Test tool - HP Application Security Center

The first product we are looking in the area of web application security testing tools is from HP. This is actually a suite of products collectively called HP Application Security Center. The following are some notes I have taken after hearing their presentation and browsing through their website.

  • Formerly SPI Dynamics before its acquisition in June 2007
  • Full security test suite that offers tools for different phases of the SDLC:

    1. DevInspect – Development stage
      • Primarily a source code analyzer or white-box testing tool (i.e. requires full source code but does not require running system).
      • Underlying implementation technology specific (C#, Java, JavaScript, HTML, XML, AJAX).
      • Tight integration in development process (via the IDEs) hence allowing threats to be detected early (even before a developer checks the code in).
      • Suggests and can automatically apply code fixes when vulnerabilities are found.
      • Requires regular updates to keep up with latest threat signatures (like anti-virus software).
      • Note that this tool catches only compile-time threats, not run-time threats. Hence needs to be partnered with one of the below.
      • Deploys as plugins to Eclipse and Visual Studio.

    2. QAInspect – UAT/SIT stage (maybe even as part of continuous integration)
      • Black-box testing tool (does not require source code but requires a running system).
      • Underlying implementation technology independent.
      • Works by crawling an entire website (link depth and type is configurable) after been given a root URL.
      • Suggests common fixes when vulnerabilities are found but cannot automatically fix them. (Obviously since it has no knowledge or access to the underlying code!)
      • Will not be able to detect threats on pages that are not explicitly defined in the test, exist as links in the website or directories that do not allow listing.
      • Supports legal and regulatory compliance by scanning against well known policies (e.g. Sarbanes-Oxley, HIPAA, PCI Data Security Standard, OWASP Top Ten) and generate the necessary reports.
      • Requires regular updates to keep up with latest threat signatures (like anti-virus software).
      • Must run full suite of tests after an update as the tool is unable to determine the delta.
      • Tight integration with HP Quality Center and HP TestDirector hence allowing security tests to be managed as part of an overall test plan/run including functional and/or performance tests.
      • Automatically generate defect logs in HP Quality Center based on vulnerabilities found during the tests.
      • Integrates with HP AMP (Assessment Management Platform) to provide enterprise assessment management. i.e. centralized control over user permissions, security policies and remote scanning administration.
      • Supports only Windows Platform for running the tool.

    3. WebInspect – anytime (after you have a running system of course)
      • Essentially the same as QAInspect except that its targeted for standalone use.
      • Includes a whole bunch of advanced tools for penetration testers.
      • Does not offer integration with HP Quality Center or HP TestDirector for overall test management but can push vulnerabilities as defects to HP Quality Center.
      • Does integrate with HP AMP for enterprise assessment management.
      • As far as licensing goes, in Singapore, comes in two flavors:
        1. Single User (i.e. one PC), Single Target (i.e. one IP address)
        2. Single User (i.e. one PC), unlimited Targets (for about double the price of the above)

No comments: