WebApp Security Test tool - HP Application Security Center

The first product we are looking in the area of web application security testing tools is from HP. This is actually a suite of products collectively called HP Application Security Center. The following are some notes I have taken after hearing their presentation and browsing through their website.

• Formerly SPI Dynamics before its acquisition in June 2007
• Full security test suite that offers tools for different phases of the SDLC:


1. DevInspect – Development stage
• Primarily a source code analyzer or white-box testing tool (i.e. requires full source code but does not require running system).
• Underlying implementation technology specific (C#, Java, JavaScript, HTML, XML, AJAX).
• Tight integration in development process (via the IDEs) hence allowing threats to be detected early (even before a developer checks the code in).
• Suggests and can automatically apply code fixes when vulnerabilities are found.
• Requires regular updates to keep up with latest threat signatures (like anti-virus software).
• Note that this tool catches only compile-time threats, not run-time threats. Hence needs to be partnered with one of the below.
• Deploys as plugins to Eclipse and Visual Studio.


2. QAInspect – UAT/SIT stage (maybe even as part of continuous integration)
• Black-box testing tool (does not require source code but requires a running system).
• Underlying implementation technology independent.
• Works by crawling an entire website (link depth and type is configurable) after been given a root URL.
• Suggests common fixes when vulnerabilities are found but cannot automatically fix them. (Obviously since it has no knowledge or access to the underlying code!)
• Will not be able to detect threats on pages that are not explicitly defined in the test, exist as links in the website or directories that do not allow listing.
• Supports legal and regulatory compliance by scanning against well known policies (e.g. Sarbanes-Oxley, HIPAA, PCI Data Security Standard, OWASP Top Ten) and generate the necessary reports.
• Requires regular updates to keep up with latest threat signatures (like anti-virus software).
• Must run full suite of tests after an update as the tool is unable to determine the delta.
• Tight integration with HP Quality Center and HP TestDirector hence allowing security tests to be managed as part of an overall test plan/run including functional and/or performance tests.
• Automatically generate defect logs in HP Quality Center based on vulnerabilities found during the tests.
• Integrates with HP AMP (Assessment Management Platform) to provide enterprise assessment management. i.e. centralized control over user permissions, security policies and remote scanning administration.
• Supports only Windows Platform for running the tool.


3. WebInspect – anytime (after you have a running system of course)
• Essentially the same as QAInspect except that its targeted for standalone use.
• Includes a whole bunch of advanced tools for penetration testers.
• Does not offer integration with HP Quality Center or HP TestDirector for overall test management but can push vulnerabilities as defects to HP Quality Center.
• Does integrate with HP AMP for enterprise assessment management.
• As far as licensing goes, in Singapore, comes in two flavors:
1. Single User (i.e. one PC), Single Target (i.e. one IP address)
2. Single User (i.e. one PC), unlimited Targets (for about double the price of the above)