Automated Web services security testing just got a whole lot easier, thanks to new tools targeting developers and quality assurance (QA) professionals.
Security specialist Kenai Systems Inc. this week released a new product for Web services vulnerability testing and assessment, called eXamineXT. And Parasoft Corp., a provider of automated software test and analysis tools, has unveiled SOAPtest 4.0, which introduces repeatable penetration testing at the message level to detect Web services security vulnerabilities.
The goal is "early visibility," said Wayne Ariola, vice president of corporate development at Parasoft, in Monrovia, Calif. "We find there's an education gap [between developers and security professionals]; the developer and QA don't know what it means to have a secure application, or if they've just placed a vulnerability in the application. We sniff it out and let them know early on."
Ariola continued, "Organizations have taken great steps in creating security organizations, yet it's far too late. By the time the security guy gets hold [of the application], it's usually in production or [ready to] go live."
Testing for security vulnerabilities during development can be key to minimizing security issues later. According to Jack Quinnell, chief technology officer at Rocklin, Calif.-based Kenai Systems, "The concept of pervasive security begins in the development environment."
However, one of the challenges to this type of pervasive security is that many developers only have a minimal level of security training under their belts. In addition, "the average developer would just as soon not have to worry about it," said Jason Bloomberg, a senior analyst at ZapThink LLC in Waltham, Mass. "If the developer's job is to code business logic, then he would just as soon security was handled for him. The more you can do to automate the security part of what the developer does, the better."
For one-year-old Kenai Systems, eXamineXT resulted from feedback from large companies on their Web services security concerns, according to CEO Bill Kesselring. "They said, 'Develop a product that allows us to securely develop Web services.' They said, 'I want a Web service I can test [for security vulnerabilities] simply by pointing, clicking and protecting against that known vulnerability, before deployment.' "
The eXamineXT product tests for known Web services vulnerabilities and includes about 20 security test profiles, and automatically generates test cases based on those profiles. In addition, it can test Web services for compliance with industry standards, organizational policies and industry best practices.
"We focus on automating testing for technical vulnerabilities and pushing [that information] back to the development cycle," Quinnell said.
"Testing as part of development is a best practice overall; it's part of an agile approach," Bloomberg said. "It's a critical part of building Web services and service-oriented architectures."
General availability of eXamineXT is expected in July; price is $800 per seat. The product is available as a standalone, or as a plug-in version optimized for the Eclipse integrated development environment. The general version is available on the company's Web site for a free 30-day evaluation.
Parasoft's SOAPtest 4.0, in addition to penetration testing at the message level, includes support for Universal Description Discovery and Integration registries, Web Services Addressing and Web Services ReliableMessaging. SOAPtest is one of several products in Parasoft's suite of testing tools.
"We have a library of responses [in SOAPtest]," Ariola said. "We're looking for bad patterns or vulnerable patterns, or behavioral aspects of an application that could be tampered with." SOAPtest, he said, integrates penetration testing with functional testing. "We can find if the code is vulnerable in specific areas; additionally, we do it in the context of business workflow. We can penetration test through the whole [transaction] sequence to determine if there is a vulnerability in the middle of the transaction."
Parasoft's SOAPtest 4.0 is available now for Windows 2000, Windows XP, Linux and Solaris. Pricing starts at $3,495.