Remember the days when the truly scary vulnerabilities were “wormable”, a phrase that we seldom hear these days. Sure those issues still exist, and they’re still scary but they’re few and far between as attackers move the fight from the server to the desktop.
Client-side applications and the web content they access are the focus these days. With the “threatscape” changing and a focus on these client side issues, companies like Tripwire are forced to evolve and expand. This can only be a good thing for customers that take the time to fully understand the situation and misleading for those that jump in.
As a security researcher who occasionally blogs rather than a full time marketing evangelist, I see both sides of the coin… The security impact and the marketing impact.
With the changing threatscape, enterprises need to expand their toolbox and add products like IBM AppScan, HP WebInspect, or Cenzic Hailstorm to their IDS/IPS and Vulnerability Management programs. Services offered by companies like WhiteHat Security and Veracode need to become regulars on the schedule. These end up acting as disjointed services though, and the spaces between them need to be bridged.
This is something that VERT did started doing when we were still nCircle prior to the Tripwire acquisition, and we continue to focus on it today. We started with the “low-hanging fruit” of the Web Application security world and developed WebApp360.
The idea was not to compete with IBM AppScan or HP WebInspect nor was it to give customers a false sense of security. It was the vision of a group of security researchers who thought that Vulnerability Management could spread its wings.
WebApp360 provides coverage of the OWASP Top 10. That statement is true, but “WebApp360 provides ‘complete coverage’ of the OWASP Top 10” would be false. That’s a task for the “pure-play” web application scanners… the AppScans and Hailstorms of the world. We’re simply bridging that gap between Vulnerability Management and Web Application Security.
Setting up a “pure-play” web scanner for all the internal servers is not cost or resource effective and this is where WA360 excels. It is very easy to setup and run against all webservers in your environment. WA360 is designed to scan production websites and covers a plethora of vulnerability and configuration issues. However, it does not dive as deep as some of the “pure-play” scanners nor fulfill the role of static analysis tools.
Anyone who has used the “pure-play” web application scanners knows that they take hours, if not days, to scan and nearly as long to configure. They are designed to target your major web properties, the ones that you know about and actively work to secure. That will never change and if anyone at Tripwire ever told you that you didn’t need that type of solution, I’d join you in calling them out on it.
What about your development environments, your end user systems, and everything in between though? How many web servers do you have running in your environment that your Vulnerability Management solution is detecting but aren’t showing up as security issues?
This is where WebApp360 is designed to shine. To give you the power to perform a basic, high-level scan of your entire network in the time it takes a “pure-play” web application scanner to investigate a single site. We will point out some of the more basic issues affecting the security of that site as a starting point. At that point, a fully functional web-application security scanner should be brought out to finish the job.
To put it in terms of sports, when it comes to web application security, your web application security scanner is the NASCAR driver and your IS/IT team is the pit crew. You could run the race with just those two groups and if you’ve got a good driver, you’ll do fairly well but you need that spotter, up above the track, watching everything that’s happening.
That’s what WebApp360 is… We’re the spotter, telling you where the trouble is and giving you an idea of what to expect. As any NASCAR fan will tell you, the driver with the best spotter always has a competitive advantage.
Image courtesy of ShutterStock