Web Application Security

security. protection. intelligence.

Q: Where Do Your Current Security Measures Fail?

A: Your Proprietary, Custom written Web Applications

security. protection. intelligence.

Today over 70% of attacks against a company’s Web site or Web application come at the ‘Application Layer’ not the

Network or System layer.

A complete security solution requires attention at each potential point of attack.

security. protection. intelligence.

A: Enact policies requiring your developers to write secure code.

Q: So how do we remedy this situation?

• Verify all request parameters are in proper format (via through a standard library)

• Any unknown or incorrect user data should be logged and terminated.

security. protection. intelligence.

But if you instituted this policy, how would you effectively enforce

it? What measures would you have in place to make sure that they

comply?“A unenforceable policy, or one

with out a process to determine the outlined specifications, is just

as good, as no policy at all.”

security. protection. intelligence.

Q: But I use XYZ Scanner, won’t it discover these types of

vulnerabilities?

A: No, and this is why.

security. protection. intelligence.

Where Today’s Security Measures Fail

security. protection. intelligence.

A: Because other Scanners are a security Broadsword,

where ours is a Security Scalpel

WebInspectTM is NOT meant to replace any tools that are currently being used, instead it complements them.

Q: How can SPI Dynamics do all of this and the others can’t?

security. protection. intelligence.

How SPI Solves The Problem

security. protection. intelligence.

WebInspectTM scans the whole

site:

Web server

Web pages

Scripts

Proprietary applications

Cookies

Database Server

Internet IDS

Firewall

CC#’s Database

Users Database

Web Server

security. protection. intelligence.

WebInspectTM

Scans authentication codes

Assesses security procedures

Carves into confidential data

… Just like a hacker would

Database Server

Internet IDS

Firewall

CC#’s Database

Users Database

Web Server

security. protection. intelligence.

WebInspect™, automates our security expertise so that customers can simulate an advanced web-application attack on their own. WebInspect™ detects holes in both standard and proprietary applications, and crawls over the entire website in search of potential security problems.

WebInspect™

security. protection. intelligence.

WebInspect™ is easy to use. Simply enter the URL of the Web site or Web application you wish to scan and click go.

WebInspect™

security. protection. intelligence.

WebInspect™ is easy to understand. The Vulnerability Report is listed in order of severity and contains HTML links for navigation.

WebInspect™

security. protection. intelligence.

Features & Benefits of WebInspectTM

Unique Focus: Your proprietary Web site or Web application

Superior Scanning: Products codify our security expertise

Extremely Fast: WebInspectTM runs in minutes/ hours vs.

days/ weeks it takes to complete traditional vulnerability

assessments

Automated: Continuously maintain your security integrity

Updated: Continuously keep up to date on the latest

vulnerabilities with the online update feature

Simple & Cost Effective: Licensed per IP address or per

consultant

Risk-Free: Offered on a trial basis at no cost

security. protection. intelligence.

How does WebInspectTM do this?

Hidden Manipulation

Parameter Tampering

Cookie Poisoning

Stealth Commanding

Forceful Browsing

Backdoor/Debug Options

Configuration Subversion

Vendor–Assisted Hacking

security. protection. intelligence.

The SPI Works Product Suite

Use WebInspectTM to assess current Web sites or Web applications.

Use WebInspectTM to QA new applications during development prior to release into production.

Available now

Know your vulnerabilities

Use LogAlertTM to audit Web logs to know if an attacker has successfully compromised your Web site or Web application.

Use LogAlertTM after you have been attacked for Web log forensic analysis.

Available now

Know if you have been attacked

Use WebDefendTM to proactively stop Web site or Web application intrusions.

Available Q2 2002

Proactively stop attacks

WebInspectApplication Assessment

WebDefendApplication Intrusion Protection

LogAlertApplication Log Audit

TM TM

TM

security. protection. intelligence.

Our Company

Founded in April 2000 by recognized Information Security industry experts

Released WebInspectTM in April 2001HQ in Atlanta, Georgia

Resellers in New York, Chicago, Washington D.C., Knoxville, Miami, London

SPI serves clients in each of the following vertical industries:

HealthCare

Insurance

Financial Services

Government

Global Enterprise

Consulting

security. protection. intelligence.

SPI Dynamics is the leading provider of automated Web Application security products.

SPI develops “hands-off” security products that contain the knowledge and expertise of an information security professional embedded in the code.

The embedded “hacker logic” enables our software to think for the end-user, making their job easier.