Category Archives: NT OBJECTives


SSL Poodle Check Added to NTOSpider

This week’s “big hack” everyone is yapping about is the POODLE flaw in Secure Socket Layer (SSL 3.0). The hack is a bad one, when the attacker can get man-in-the-middle to set it up, but the need for MitM does limit the scope of this exploit.

Adding the check for POODLE’s downgrade flag to our NTOSpider scanner was trivial as we already perform SSL Strength Analysis, but the real challenge is how to score this. Quite frankly just allowing SSL 3.0 is inherently bad, and POODLE just makes it worse. I can see an argument for making it high risk to have SSL 3.0 enabled, but then does POODLE make it “Super-High”?

As with my recent post about the 8 lessons learned from Shellshock, I encourage caution with this weekly hype cycle for each new “big hack.” It’s reminiscent of “The Boy Who Cried Wolf” – we’ll see how that will turn out for us.


NTOSpider 6.4 Now Available!

We are excited to announce a host of enhancements to NTOSpider that will further assist you in testing more of your applications in less time. Our mission is and has always been to create the most automated and accurate assessment possible even on the most modern applications. And, in this release, we further expand NTOSpider’s ability to effectively test modern web and mobile applications.

The following are some of the highlights of NTOSpider 6.4:

  • Web service authentication to further automate testing of web services and mobile applications.
  • Automatic update tool to enable users to automatically download new versions of NTOSpider.
  • Crawler improvements to further expand coverage of Web 2.0 applications and improved performance on very large sites.
  • Added and improved attack modules to include additional vulnerabilities in automated coverage, including Shellshock or BASH Bug.
  • Improved UI features including user defined attack policies and macro debugging.

New and Enhanced Features

  • Web Service Authentication – Expanded ability to test web services with the ability to handle the authentication and session management solutions used by many web services. Including: comprehensive OAuth, HMAC, integrated NONCE support and user defined solutions.
  • Improved Web 2.0/3.0 and HTML5 crawling – Improved automated crawling of heavy Javascript (AJAX) web sites and popular frameworks such as jQuery.
  • Enhanced performance – Performance improvements include increased scan speed and reduced memory consumption especially for very large sites.
  • Auto-updater – NTOSpider finally has a configurable automatic update mechanism that enables users to choose between three options that give the user flexibility and control over upgrades.
  • User Defined Attack Policy – Simplifies selections of attacks.
  • Macro debugger – UI feature to help user replay and debug MACRO recordings.
  • Attack modules – The following attack modules have been added or improved.
    • Shellshock (aka The BASH Bug)
    • CORS (Cross-Origin Resource Sharing)
    • XPath Injections
    • LDAP Injection
    • XML External Entity
    • Server Side Include (SSI) Injection
    • Expression Language Injection
    • ASP.NET ViewState Validation

For complete details review the release notes.

For more information or to request a free trial of NTOSpider visit:


Fix Security Defects Earlier with NTOSpider and Selenium Integration

It’s a well-known fact that it costs less to fix security defects earlier in the software development lifecycle than later. But because most security professionals are experts in security and less familiar with applications, and QA teams are experts in applications and less familiar with security, integrating security testing earlier in the software development lifecycle can be a challenge. NTOBJECTives is changing that in a big way.

As innovators in web application security scanning, we are always thinking how can we can continue to push ourselves, to continue our innovation and really deliver world class scanning to our customers. One of the things we have done is enhance our web application security scanner, NTOSpider, to integrate with browser automation program Selenium to help companies bridge the gap between software development and security testing.


Here’s how it works. First, you may already be familiar with Selenium. It is often used by software development and QA teams to automate the security testing of web applications, and enable users to record a series of events and analyze the results. The NTOSpider and Selenium integration enables security teams to automatically detect security defects earlier in the software development lifecycle, such as during the nightly build process. As a result, security teams can improve web application security with minimal additional costs and without the help of development and/or QA teams.

Our latest version of NTOSpider supports two methods of Selenium integration:

  1. It executes the Selenium script directly, while NTOSpider is running, to avoid working from a possibly expired session.
  2. It imports the output of a previously executed script, expediting the testing process.

In addition to improving web application security testing, NTOSpider’s integration with Selenium can also be used to automate complex authentication solutions and specific application workflows, like shopping cart sequences.

NTOSpider offers development/QA and security teams an exciting opportunity to finally close the knowledge gap that often exists between them and develop more secure web applications at a lower cost. If you’d like to learn more about the benefits of integrating web application security scanners with Selenium or how NTOSpider can “piggy-back” on the application knowledge built into Selenium, I encourage you to download our white paper, The Case for Integrating Selenium and Application Security Testing.

This becomes even more interesting when you hook all this together with a Continuous Integration solution such as Jenkins. In this model, NTOSpider scans are launched against the latest build of the application in a fully automated fashion.NTO-CI-IntegrationWithSelenium

And while the integration of Selenium is an exciting one, we are off and running on our next enhancement. More on that soon!

Until then, scan your apps or face attack!

iphone image

Mobile Application Security 101

Mobile Applications – Still Insecure

Businesses are racing to meet the demands for mobile applications, yet mobile application security is an afterthought, just as web application security was when web applications started to proliferate.

As an industry, we know so much about securing web applications that applies to mobile, but most organizations are still repeating past mistakes and making new mobile specific mistakes that expose businesses to security incidents.

According to a recent Gartner report, “Most enterprises are inexperienced in mobile application security.  Security testing, if conducted at all, is often done casually — not rigorously — by developers who are mostly concerned with the functionality of applications, not their security.[1]” In this same report, the firm indicates that “through 2015, more than 75% of mobile applications will fail basic security tests.[2]


Don’t Forget Mobile Web Services

There has been so much talk about mobile device and mobile client security, but the key thing to keep in mind when approaching mobile application security is that it’s critical to test both the client as well as the communication to the web service that powers it. For example, if you’re using your Twitter app, the primary logic that resides on the mobile client is display and user authentication. The app must then communicate to a web service in order to get and send Tweets. This web service is the real power of Twitter and where the real security risk lies. Why attack one user, when you can attack that web service that is used by millions?

Even though mobile applications leverage a client-server model, they are built with entirely new technologies that necessitate new processes, technologies and skills.  While mobile application security does drive these new requirements, the overall problem is one that the security industry is already well acquainted with because the vulnerabilities showing up in mobile applications aren’t new at all. We often say that we are “Hacking like it’s 1999” because, the reality is that mobile vulnerabilities are are just the same old vulnerabilities that we have been hunting for over 13 years now: SQL injection, overflow, and client attacks.

These new requirements for mobile testing are driven by the new programming languages used for building mobile clients (Objective-C and Android’s Java variant), the new formats used by back-end web services (JSON and REST) and the new authentication and session management options (OAuth, HMAC, etc). And while those familiar SQL Injection attacks look almost exactly like they did 10 ago, you just can’t find them without understanding how to deliver these attacks within the new structures.

iphone image

SQL Injection Alive and Well

We call the mobile vulns the Where’s Waldo of application security. They’re your old familiar friend, SQL Injection, who looks almost exactly like he did 10 years before – maybe with a few gray hairs – but you just can’t find him as easily because he’s in an all new environment. We simply need to adjust to this new landscape and start looking for our old friend again.

Another important thing to keep in mind about mobile application security testing is that there ARE tools that automate the process. There just aren’t that many of them that automate the entire process or do it very well.

We see several categories of security vulnerabilities in mobile applications:

More on Mobile Application Security


[1] [2]Gartner Research Document

Gartner, Technology Overview: Mobile Application Security Testing for BYOD Strategies, By Joseph Feiman and Dionisio Zumerle, August 30, 2013.


Mobile application security testing – fast and easy!

Mobile-App-SecMobile application security testing: Four words that, for many security professionals, elicit a nagging feeling that comes from knowing the challenge is imminent if not already present, yet very difficult to tackle.

We at NT OBJECTives understand, and we’ve got your back. Our newest service offering is designed to help busy security teams easily and thoroughly test mobile applications – without intensive training or resource drain.

NTOMobile On-Demand gives NTOSpider customers everything they need to quickly security test mobile applications, including mobile client native code and back-end web services. No need to choose between testing the source code, testing the services or pen testing the mobile app. NTOMobile On-Demand does it all with a comprehensive software solution combined with expert pen testing.

Comprehensive mobile application testing requires both static and dynamic analysis, so we’ve packaged them together, along with expert pen testing, to deliver comprehensive mobile application security testing. By leveraging the power of NTOSpider’s dynamic application security testing capabilities, NTOMobile On-Demand effectively and automatically tests the web services that power mobile back ends and that leverage new technologies like REST, JSON and SOAP. You won’t find another web application security testing solution that delivers better coverage of your custom web service implementations.

Mobile application security testing is a challenge for security teams that don’t have the time or resources to invest in effective training and tools. NTOMobile On-Demand enables security teams to conduct comprehensive mobile application security testing – and obtain the peace of mind that comes from doing what needs to be done.

Build security earlier into the SDLC with NT OBJECTives & Coverity

NTO & Coverity launch interactive application security (IAST)

Are your developers effectively testing for and fixing security
vulnerabilities early in the software development lifecycle (SDLC)?

coverity logo

Coverity and NT OBJECTives recently announced the first interactive
application security testing (IAST) solution that developers will
actually want to use. Other solutions were built as add-on security
solutions that plug-into an existing developer environment, whereas our
solution was built on the most popular existing developer platform,
already widely in use by developers to address both non-security and
security issues.

Join us for a webcast next week, May 2nd, where we’ll show you how Coverity & NT OBJECTives are making it easy to build security into the lifecycle.

Correlated results of an XSS vulnerability
Correlated results of an XSS vulnerability

Unique IAST Solution Combines:

  1. dynamic web scanning (DAST)
  2. source code security scanning (SAST)
  3. source code quality and performance scanning (non-security bugs)

Benefits of Coverity/NT OBJECTives solution

  • Developers More Likely to Use the Solution: Because it integrates with their existing workflow and leverages a tool that they are already using, developers prefer Coverity & NTO’s IAST solution.
  • Fewer False Positives: The correlation of DAST and SAST gives additional context to findings and reduces false positives.
  • Increased Efficiency: Developers can prioritize all security vulnerabilities and software defects quickly and easily from a single pane of glass and unified workflow.


coverity logo

NT OBJECTives and Coverity release integrated SAST and DAST

We are happy to announce our partnership with Coverity and the general availability the first Interactive Application Security Testing (IAST) solution to be built on a “developer-ready” platform. With this integration, the results from NTO’s Dynamic Application Security Testing (DAST) solution, NTOSpider, are integrated into the development workflow of Coverity’s Static Application Security Testing (SAST) solution and then automatically correlated, enabling security teams to find and fix security defects earlier in the lifecycle and improving collaboration between security and development teams.

coverity logo


Learn more in our upcoming webinar (Register Now: Building Security into Development).

The NT OBJECTives and Coverity combined solution is:

  • Fully integrated into existing development workflow
  • Built in a language developers already understand
  • Enables developers to quickly and efficiently remediate security defects
  • Empowers developer to address and prioritize defects as code is written
Correlated results of an XSS vulnerability
Correlated results of an XSS vulnerability

The benefits of our IAST solution are:

Higher Results Confidence: By integrating NTOSpider with the Coverity Development Testing Platform, we’re enhancing our already highly accurate analysis by combining the detection of a potential vulnerability found through SAST, with verification through a real-time exploit attempt provided by DAST. The combined solution determines whether the vulnerability is real and where in the code is located.

Comprehensive Analysis From Two Perspectives: By combining the Coverity Development Testing Platform with NTOSpider, our customers know they are leveraging two state-of-the-art solutions to achieve maximum application coverage.

Increased Efficiency: Developers prioritize vulnerabilities quickly and easily from a single pane of glass and unified workflow.

Improved Collaboration between Security and Development: By combining results into one solution that developers already use, security and development teams can improve communication, prioritization and remediation efforts around security vulnerabilities.

To learn more:



Announcing NTOSpider 6 – Now scanning mobile, web services, and CSRF

I am very happy to announce the delivery of NTOSpider 6, the first and only dynamic application security scanner available that is capable of effectively testing modern mobile and web applications that leverage new technologies like REST, AJAX, JSON and GWT. NTOSpider delivers more comprehensive application coverage and sophisticated attack methodologies than any other solution available. Most importantly, NTOSpider delivers the best rates in the industry for the elimination of false positive and false negative findings.


NTOSpider 6, a next generation dynamic application security testing (DAST) solution, that includes a proprietary Universal Translator technology that effectively translates these various formats so that it can automatically crawl, detect and attack vulnerabilities that exist in modern applications.

NTOSpider 6

  • More accurate (broader coverage of new technologies with fewer false positives and false negatives)
  • More automated (the most automated solution available with the most sophisticated attack technologies)
  • More cutting-edge (automates testing of new technologies used in HTML5, RIA and mobile apps)

Benefits of NTOSpider 6

  • Broader coverage of complex, modern applications with more automation and minimal per scan manpower
    • Mobile & Web Services – Enables simulated attacks of web & mobile back-end services by detecting rich client traffic to decode & attack popular formats: JSON, REST, Flash Remoting (AMF), SOAP, & XML
    • RIA – Dynamically crawls & attacks rich client traffic including AJAX, JQuery, GWT
  • Supports CSRF protected sites – token detection to enable collection & use of valid tokens during each attack
  • Increased level of automation – Execute repeatable, rapid & comprehensive automated application security testing
  • Reduces risk – Systematically reduce risk more effectively by leveraging a more automated process
  • Frees pen testers – Free pen testers to test the parts of the application that require manual testing like business logic

I’m on the phone with customers and security professionals every day who are struggling to keep up against rapidly proliferating applications and vulnerabilities. The spread of mobile applications, web services and complex Rich Internet Applications (RIA) has made a bad situation worse for security professionals, because the web application scanner industry has not kept pace to detect vulnerabilities in these new formats, security teams have been forced to test new applications manually which has become time consuming, a drain on resources and insufficient for understanding risk.

Rather than rely solely on manual testing for these technologies, security experts can leverage NTOSpider to automatically test more of their applications than ever before including the nine technologies we find to be the most common in today’s RIA, HTML5, Mobile and complex applications. Each are detailed in our recent white paper, which describes how and why these technologies create challenges for web scanners and provides step-by-step instructions for how security professionals can determine if their scanners are effectively scanning and attacking these newer technologies.

I invite security researchers and experts who want to stay current against modern applications and try the most accurate and automated solution available to request a free trial of NTOSpider 6!

Read the press release on NTOSpider 6.

Mobile App Security – Application Security’s “Where’s Waldo”

As I have discussed in previous posts and at conferences, like OWASP AppSecUSA, while the number of attacks continue to increase, the attack techniques aren’t new at all. They are actually the same old attacks like SQL Injection showing up in new places including mobile application services and AJAX applications. Because these newer technologies have exploded in popularity and become more mainstream, we keep seeing these same old vulnerabilities popping up in new places. I always say its like Where’s Waldo, and we simply need to understand the new landscape and start looking for Waldo again.


Over the last several years, there has been a major evolution in how applications are being built with new underlying technologies, application architectures and data formats, but have application scanners evolved with them? These new technologies have grown at such a fast rate, we haven’t been able to keep up at either end. On one end, developers aren’t able to build these new applications securely because they are up against deadlines from the business and delivering on new technologies. And on the other end, web application scanners  were architected in the golden days of web application security when almost all web applications were static and relatively simple HTML pages. While scanners have never and will never cover all types of every web application, our belief is that they can and should cover as much as possible. Unfortunately, most application security scanners haven’t kept pace with the changing applications.


Over the next few weeks, I’ll be posting a series on these technologies and how developers, security professionals and application scanning vendors can help to close the coverage gap detailed above to improve both the efficiency (reduce manual efforts) and effectiveness (find more vulnerabilities) of security efforts.

By the way, a new beta version of our NTOSpider product is currently available. We believe its the only scanner that truly begins to address these newer technologies and formats like AMF, JSON and REST. But feel free to check it out for yourself. We welcome input and feedback.

In this series of posts, I’ll detail the technologies used in modern applications and demonstrate why they create challenges for modern web scanners. In addition, I’ll give you pointers on how you can determine if your application security scanners are effectively scanning and attacking these newer technologies.

We will discuss the following kinds of applications and technologies:

1. RIA & HTML5

  • AJAX applications: JSON (JQuery), REST, GWT (Google WebToolkit) ∙ Flash remoting: AMF
  • HTML5 applications (addressed in subsequent paper)

2. Mobile

  • Backends powered by JSON, REST and other custom formats

3. Web services

  • XML-RPC, SOAP (addressed in subsequent paper)

4. Challenging application workflows

  • Sequences: Shopping Cart and other strict processes ∙ XSRF/CSRF Tokens

If you would like to read the full whitepaper on this topic, you can download it here.

2013 Security B-Sides San Francisco Voting

Voting for Security B-Sides San Francisco presentations is in full swing. Be sure to vote for your favorites talks.

We’re partial to these two talks by Dan Kuykendall!


The Pineapple Express: Live mobile application hacking demonstration….A speeding bullet to the mobile backend – Climb aboard the Pineapple Express. In this talk, Dan goes beyond the typical discussion points on mobile security to delve into the vulnerable back-ends of mobile applications. Dan will demonstrate how easy it is to find vulnerabilities and attack the service calls in social media, banking and payment applications.

Get off your AMF and don’t REST on JSON – In this talk, Dan will demonstrate the process of understanding the new formats like JSON, REST and AMF and where to attack them on various vulnerable applications.

Hope to see everyone there!