Business Services Industry

@stake Announces Release 2 of WebProxy; Interactive Security Tool Created by Renowned Security Experts Helps Software Engineers Build More Secure Web Applications

Business Wire, Dec 17, 2002

Business Editors/High-Tech Writers

CAMBRIDGE, Mass.--(BUSINESS WIRE)--Dec. 17, 2002

@stake, Inc., (www.atstake.com) the world's largest independent digital security consulting firm, today announced the immediate commercial availability of @stake(R) WebProxy(TM), a powerful interactive security tool that helps software developers, quality assurance engineers, and security professionals test and enhance the security of Web applications. Sitting between the developer's browser and the Web application, WebProxy acts as a 'proxy' to let the developer observe precisely how the Web application responds to staged attacks, such as those that use buffer overflows, SQL injection, cookie manipulation, cross-site scripting or parameter manipulation. By identifying security vulnerabilities while applications are still in development, companies can cost-effectively improve the overall security of any Web application(1).

"Today's Web applications are subject to malicious activity by both authorized and unauthorized users," said Charles Kolodgy, Research Manager for Internet Security at IDC. "To combat this, corporations need to make sure that their applications are designed to protect data as it is being processed and stored."

Several studies have indicated that it is more cost-effective to address security vulnerabilities in software applications during the development phase versus after the application has been released to customers. If a malicious attack is successful on a Web application that is already in commercial use or production, companies must face costs associated with removing the application from production, assessing the damage to the application and the data it manages, as well as potentially considerable costs associated with loss of reputation and customer confidence that may result from the attack.

"Security in today's software industry is dominated by a penetrate-and-patch mentality, where the security of an application is more likely to be addressed after it has been released to customers," said Christopher A.R. Darby, Chairman and CEO of @stake. "As digital security consultants, we've helped hundreds of clients rectify Web application security flaws that could have been more easily and cost-effectively addressed during development or quality assurance testing. With the commercial introduction of @stake WebProxy, we're offering a powerful tool to help companies make immediate improvements in the security of any Web application."

About the New Release

@stake WebProxy was originally developed as a proprietary tool to be used exclusively by the company's security consultants on client engagements to assess Web applications for common security vulnerabilities. Since @stake posted the first release of WebProxy in April 2002 as a free, undocumented tool on the company's Web site, over 20,000 people have downloaded a copy. Because of the overwhelming response, the company has made a number of enhancements to the commercial release, including a new user interface, improved installation, comprehensive new documentation, and powerful new automated testing features.

How WebProxy Works

Designed to act as an HTTP/HTTPS proxy server, @stake WebProxy allows monitoring and manipulation of requests made by the browser to the Web application. @stake WebProxy offers the following features and benefits:

-- Re-submission and on-the-fly editing of previous requests, which allows the developer to test custom application attack scenarios. Editing capabilities include support for parsing of query parameters, request headers, and POST parameters, as well as cookie editing. Requests can be automatically modified based on a matching regular expression for ease-of-use.

-- Logging of requests and replies to text files, allowing the developer to maintain a record of past requests for use in regression testing.

-- Dynamic certificate generation, enabling transparent support for testing SSL-enabled applications.

-- Cookie management, hashing, and decoding utilities, providing a convenient interface for analyzing encoded application traffic.

-- Quashing of header parameters, allowing the developer to observe how the application reacts when certain headers are missing.

In addition, the following features have been added to the commercial release:

-- Automated fault injection or "fuzzing" of request parameters, which can be used to test for SQL injection, directory traversal, cross-site scripting, buffer overflows and character set vulnerabilities.

-- Support for Proxy Chaining, which allows WebProxy to be used in conjunction with existing proxy servers.

-- Comprehensive new documentation.

-- New user interface.

-- Performance enhancements.

System Requirements

WebProxy can be used to test Web applications that are running on any platform. WebProxy runs on the developer's client system, which can be any of the following:

-- Microsoft Windows (Win32) including NT, 2000, and XP

-- Sun Solaris (SPARC) with X-Windows

-- Linux (x86) with X-Windows

WebProxy has been designed to work with any Web browser that has proxy support. Release 2 of WebProxy has been tested with Netscape 4.79 and 6.2, Internet Explorer 5.5 and 6.0, and Mozilla 1.1.


 

BNET TalkbackShare your ideas and expertise on this topic

Please add your comment:
  1. You are currently: a Guest |
  4.  

Basic HTML tags that work in comments are: bold (<b></b>), italic (<i></i>), underline (<u></u>), and hyperlink (<a href></a)

advertisement
Click Here
advertisement
  • Click Here
  • Click Here
  • Click Here
advertisement

Content provided in partnership with Thompson Gale