ThomasNet News Logo
Sign Up | Log In | ThomasNet Home | Promote Your Business

Web Application Scanner works with complex workflows.

Print | 
Email |  Comment   Share  
February 27, 2014 - NTOSpider enables automated security testing of complex application workflows, including shopping carts and registration sequences. Capable of automatically understanding workflow sequence and expected results, solution enables automatic creation of relevant session states and discovery of web application security vulnerabilities. Functionality respects workflow order, allowing attack payloads to be delivered into application code where it can discover security vulnerabilities.

NT OBJECTives, Inc. NTOSpider Introduces Complex Application Workflows in Automated Security Testing for Unprecedented Accuracy


NT OBJECTives
P.O. Box 5537
Irvine, CA, 92616
USA



Press release date: February 19, 2014

Extensive User Interface and Scan Enhancements Allows Users to Achieve More Control and Visibility with Application Scanners

IRVINE, Calif. – NT OBJECTives, Inc., provider of the most automated, comprehensive and accurate web application security solutions, announced today that its NTOSpider web application scanner is the first of the application scanners to effectively introduce automated security testing of complex application workflows, including shopping carts and registration sequences, delivering more automation, accuracy and scalability than other application scanners. NTOSpider is now uniquely capable of automatically understanding a workflow sequence and expected results, which enable it to automatically create relevant session states and find web application security vulnerabilities.

Today's businesses and government organizations are delivering sophisticated and complex applications to their customers and security teams are scrambling to keep pace. Large organizations have hundreds or thousands of web applications, many of them with complex workflows. Automated security testing of those workflows with application scanners will save a tremendous amount of time and enable security teams to find more vulnerabilities much sooner. It will also allow web application security teams to focus manual testing efforts where automated security testing is not an option.

"Until now, the only way to accurately test a complex application workflow like shopping cart or invoice processing has been manually. If it takes a tester 16 hours to test a complex workflow by hand and that organization has 20 applications with complex workflows, that can add up to over a month of testing." said Dan Kuykendall, co-CEO and CTO of NT OBJECTives. "When you're a global organization, with hundreds or thousands of applications, and you need to do quarterly web application security assessments, testing by hand just doesn't scale, vulnerabilities end up being missed or applications are not tested at all.

Application scanners' automated security testing traditionally consists of two phases. First is the crawl phase during which the scanner gathers information about the application and its attack vectors. This information is then used to perform the second part, the attack phase, during which the scanner randomly attacks the functionality. While attacking randomly is good for a lot of functionality, it does not work for complex workflows.

In an application workflow, data is being passed from one step to the next and in order to find web application security vulnerabilities, it is critical to use valid test data and pass it through just as the workflow prescribes. For example, in a shopping cart application, a user adds an item to their cart, clicks checkout, enters their address and credit card data and finally makes their purchase. Each step required data to be passed from the previous in order to complete the order. When conducting automated security testing, if application scanners attack the steps in a complex workflow randomly, it will miss vulnerabilities. For example, the scanner might attack a shipping form, but because there are no items in the cart, the application informs the user that they have no items in their cart and discards the attack payloads. The scanner doesn't even know this happened and misses web application security vulnerabilities as a result.

In automated security testing, application scanners must also follow the workflow through in its entirety. It is not enough to follow the workflow up to the point of attack. Imagine, for example, that the scanner attempts a SQL injection attack on the 'last name' field in the billing form. At that point the data is often held in temporary session storage. It isn't until the order confirmation page, when the user confirms the order and the information is sent to the SQL server, that the attack is executed. So if application scanners don't complete the workflow, the attack is never executed and the SQL injection vulnerability goes undetected.

The new release of NTOSpider, unlike other application scanners, properly respects the order of the workflow, which allows the attack payloads to be delivered into the application code where it can discover the web application security vulnerabilities.

"This new release of NTOSpider holds just one of the many innovations we have in store for automated security testing. Our roadmap has many exciting advancements that will enable our customers to continue to assess modern web applications efficiently and accurately and will strengthen our position as the leading innovator in web application security scanning."

To read more about how NTOSpider handles complex application workflows and other recent automated security testing innovations for software development and QA teams, visit www.ntobjectives.com or call 1-877-NTO-WEBS (1-877-686-9327).

Tweet: @ntobjectives adds complex application workflow support to #NTOSpider for improved #webappsec testing accuracy http://bit.ly/1jcH7mq

About NT OBJECTives, Inc.

NT OBJECTives, Inc. (NTO) is a provider of the most comprehensive and accurate automated security testing software, services and SaaS for web applications. NTO's customizable suite of solutions includes application security testing, SaaS scanning and in-depth consulting services to help companies build the most comprehensive, efficient and accurate web application security program. NT OBJECTives is privately held with headquarters in Irvine, CA. For more information, visit www.ntobjectives.com or follow us on Twitter at @ntobjectives or @dan_kuykendall.

CONTACT:
Kari Walker
ZAG Communications
703.928.9996
kari@zagcommunications.com
Print | 
Email |  Comment   Share  
Contacts: View detailed contact information.


 

Post a comment about this story

Name:
E-mail:
(your e-mail address will not be posted)
Comment title:
Comment:
To submit comment, enter the security code shown below and press 'Post Comment'.
 



 See related product stories
More .....
 See more product news in:
Software
 More New Product News from this company:
Web Application Security Testing helps unburden IT teams.
Software Development Tool enables security testing.
More ....
| Featured Manufacturing Jobs
 Tools for you
Watch Company 
View Company Profile
Company web site
More news from this company
E-mail this story to a friend
Save Story
Search for suppliers of
Trouble Shooting Software
Debugging Software
Data Security Software
Join the forum discussion at:
Engineers Lounge




Home  |  My ThomasNet News®  |  Industry Market Trends®  |  Submit Release  |  Advertise  |  Contact News  |  About Us
Brought to you by Thomasnet.com        Browse ThomasNet Directory

Copyright © 2014 Thomas Publishing Company. All Rights Reserved.
Terms of Use - Privacy Policy



Error close

Please enter a valid email address