Tag Archives: Dynamic Application Security Testing

NTO-Red-Logo1

NTOSpider 6.4 Now Available!

We are excited to announce a host of enhancements to NTOSpider that will further assist you in testing more of your applications in less time. Our mission is and has always been to create the most automated and accurate assessment possible even on the most modern applications. And, in this release, we further expand NTOSpider’s ability to effectively test modern web and mobile applications.

The following are some of the highlights of NTOSpider 6.4:

  • Web service authentication to further automate testing of web services and mobile applications.
  • Automatic update tool to enable users to automatically download new versions of NTOSpider.
  • Crawler improvements to further expand coverage of Web 2.0 applications and improved performance on very large sites.
  • Added and improved attack modules to include additional vulnerabilities in automated coverage, including Shellshock or BASH Bug.
  • Improved UI features including user defined attack policies and macro debugging.

New and Enhanced Features

  • Web Service Authentication – Expanded ability to test web services with the ability to handle the authentication and session management solutions used by many web services. Including: comprehensive OAuth, HMAC, integrated NONCE support and user defined solutions.
  • Improved Web 2.0/3.0 and HTML5 crawling – Improved automated crawling of heavy Javascript (AJAX) web sites and popular frameworks such as jQuery.
  • Enhanced performance – Performance improvements include increased scan speed and reduced memory consumption especially for very large sites.
  • Auto-updater – NTOSpider finally has a configurable automatic update mechanism that enables users to choose between three options that give the user flexibility and control over upgrades.
  • User Defined Attack Policy – Simplifies selections of attacks.
  • Macro debugger – UI feature to help user replay and debug MACRO recordings.
  • Attack modules – The following attack modules have been added or improved.
    • Shellshock (aka The BASH Bug)
    • CORS (Cross-Origin Resource Sharing)
    • XPath Injections
    • LDAP Injection
    • XML External Entity
    • Server Side Include (SSI) Injection
    • Expression Language Injection
    • ASP.NET ViewState Validation

For complete details review the release notes.

For more information or to request a free trial of NTOSpider visit: www.ntobjectives.com/security-software/ntospider-application-security-scanner/

iphone image

Mobile Application Security 101

Mobile Applications – Still Insecure

Businesses are racing to meet the demands for mobile applications, yet mobile application security is an afterthought, just as web application security was when web applications started to proliferate.

As an industry, we know so much about securing web applications that applies to mobile, but most organizations are still repeating past mistakes and making new mobile specific mistakes that expose businesses to security incidents.

According to a recent Gartner report, “Most enterprises are inexperienced in mobile application security.  Security testing, if conducted at all, is often done casually — not rigorously — by developers who are mostly concerned with the functionality of applications, not their security.[1]” In this same report, the firm indicates that “through 2015, more than 75% of mobile applications will fail basic security tests.[2]

Friends-using-Foursquare-006

Don’t Forget Mobile Web Services

There has been so much talk about mobile device and mobile client security, but the key thing to keep in mind when approaching mobile application security is that it’s critical to test both the client as well as the communication to the web service that powers it. For example, if you’re using your Twitter app, the primary logic that resides on the mobile client is display and user authentication. The app must then communicate to a web service in order to get and send Tweets. This web service is the real power of Twitter and where the real security risk lies. Why attack one user, when you can attack that web service that is used by millions?

Even though mobile applications leverage a client-server model, they are built with entirely new technologies that necessitate new processes, technologies and skills.  While mobile application security does drive these new requirements, the overall problem is one that the security industry is already well acquainted with because the vulnerabilities showing up in mobile applications aren’t new at all. We often say that we are “Hacking like it’s 1999” because, the reality is that mobile vulnerabilities are are just the same old vulnerabilities that we have been hunting for over 13 years now: SQL injection, overflow, and client attacks.

These new requirements for mobile testing are driven by the new programming languages used for building mobile clients (Objective-C and Android’s Java variant), the new formats used by back-end web services (JSON and REST) and the new authentication and session management options (OAuth, HMAC, etc). And while those familiar SQL Injection attacks look almost exactly like they did 10 ago, you just can’t find them without understanding how to deliver these attacks within the new structures.

iphone image

SQL Injection Alive and Well

We call the mobile vulns the Where’s Waldo of application security. They’re your old familiar friend, SQL Injection, who looks almost exactly like he did 10 years before – maybe with a few gray hairs – but you just can’t find him as easily because he’s in an all new environment. We simply need to adjust to this new landscape and start looking for our old friend again.

Another important thing to keep in mind about mobile application security testing is that there ARE tools that automate the process. There just aren’t that many of them that automate the entire process or do it very well.

We see several categories of security vulnerabilities in mobile applications:

More on Mobile Application Security

 

[1] [2]Gartner Research Document

Gartner, Technology Overview: Mobile Application Security Testing for BYOD Strategies, By Joseph Feiman and Dionisio Zumerle, August 30, 2013.

Mobile-App-Sec

Mobile application security testing – fast and easy!

Mobile-App-SecMobile application security testing: Four words that, for many security professionals, elicit a nagging feeling that comes from knowing the challenge is imminent if not already present, yet very difficult to tackle.

We at NT OBJECTives understand, and we’ve got your back. Our newest service offering is designed to help busy security teams easily and thoroughly test mobile applications – without intensive training or resource drain.

NTOMobile On-Demand gives NTOSpider customers everything they need to quickly security test mobile applications, including mobile client native code and back-end web services. No need to choose between testing the source code, testing the services or pen testing the mobile app. NTOMobile On-Demand does it all with a comprehensive software solution combined with expert pen testing.

Comprehensive mobile application testing requires both static and dynamic analysis, so we’ve packaged them together, along with expert pen testing, to deliver comprehensive mobile application security testing. By leveraging the power of NTOSpider’s dynamic application security testing capabilities, NTOMobile On-Demand effectively and automatically tests the web services that power mobile back ends and that leverage new technologies like REST, JSON and SOAP. You won’t find another web application security testing solution that delivers better coverage of your custom web service implementations.

Mobile application security testing is a challenge for security teams that don’t have the time or resources to invest in effective training and tools. NTOMobile On-Demand enables security teams to conduct comprehensive mobile application security testing – and obtain the peace of mind that comes from doing what needs to be done.

coverity logo

NT OBJECTives and Coverity release integrated SAST and DAST

We are happy to announce our partnership with Coverity and the general availability the first Interactive Application Security Testing (IAST) solution to be built on a “developer-ready” platform. With this integration, the results from NTO’s Dynamic Application Security Testing (DAST) solution, NTOSpider, are integrated into the development workflow of Coverity’s Static Application Security Testing (SAST) solution and then automatically correlated, enabling security teams to find and fix security defects earlier in the lifecycle and improving collaboration between security and development teams.

coverity logo

 

Learn more in our upcoming webinar (Register Now: Building Security into Development).

The NT OBJECTives and Coverity combined solution is:

  • Fully integrated into existing development workflow
  • Built in a language developers already understand
  • Enables developers to quickly and efficiently remediate security defects
  • Empowers developer to address and prioritize defects as code is written
Correlated results of an XSS vulnerability
Correlated results of an XSS vulnerability

The benefits of our IAST solution are:

Higher Results Confidence: By integrating NTOSpider with the Coverity Development Testing Platform, we’re enhancing our already highly accurate analysis by combining the detection of a potential vulnerability found through SAST, with verification through a real-time exploit attempt provided by DAST. The combined solution determines whether the vulnerability is real and where in the code is located.

Comprehensive Analysis From Two Perspectives: By combining the Coverity Development Testing Platform with NTOSpider, our customers know they are leveraging two state-of-the-art solutions to achieve maximum application coverage.

Increased Efficiency: Developers prioritize vulnerabilities quickly and easily from a single pane of glass and unified workflow.

Improved Collaboration between Security and Development: By combining results into one solution that developers already use, security and development teams can improve communication, prioritization and remediation efforts around security vulnerabilities.

To learn more:

 

NT OBJECTives Positioned in the “Visionaries” Quadrant of the Magic Quadrant for Dynamic Application Security Testing (DAST)

Recent Gartner research positioned NT OBJECTives in the Visionaries quadrant for Dynamic Application Security Testing(DAST).(i) Gartner’s report was published in December and is now available to all Gartner subscribers.

Analysts Neil MacDonald and Joseph Feiman state in the report that “Dynamic Application Security Testing (DAST) solutions should be considered mandatory to test all Web-enabled enterprise applications, as well as packaged and cloud-based application providers.” They go on to note that “the market is maturing, with a large number of established providers of products and services.”(ii)

We consider our positioning in the “Visionaries” quadrant by Gartner confirmation of our mission and ability to deliver technologies and services that solve today’s toughest application security software challenges. Web application security represents one of the greatest security challenges facing the information technology industry today. We will continue to innovate and deliver the products today’s security teams need. In the months ahead, we are excited to launch a number of products that will further enhance our market position and help our customers.

In the report, MacDonald and Feiman also note that “as organizations have improved the security of their network, desktop and server infrastructures, there has been a shift to application-level attacks as a way to gain access to the sensitive and valuable information they handle, or to use a breach of an application to gain access to the system underneath. In addition, there has been a shift in attacker focus from mass “noisy” attacks to financially motivated, targeted attacks. As a result of these trends, application security has become a top investment area for information security organizations, whether improving the security of applications developed in-house, procured from third parties or consumed as a service from cloud providers.”(iii)
Gartner clients may view a copy of the Magic Quadrant for Dynamic Application Security Testing (DAST) report via Neil MacDonald’s blog, “The Market for Dynamic Application Security Testing is Anything but Static”.

Disclaimer:
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About NT Objectives
NT OBJECTives, Inc brings together an innovative collection of experts in information security to provide a comprehensive suite of technologies and services to solve today’s toughest application security challenges. NT OBJECTives solutions are well known as the most comprehensive and accurate Web Application security solutions available. NT OBJECTives is privately held with headquarters in Irvine, CA.

(i) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011
(ii) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011
(iii) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011