Scanning Options
WebInspect lets you run a safe scan, a full scan or an assault scan. The safe scan checks for database errors and other nonthreatening problems, and performs attacks that aren't likely to cause your server to crash. The full scan includes some attacks that may cause a crash. The assault scan shoots off attacks that can cause a DoS (denial of service) failure--not a good idea if you can't afford the downtime. You can customize the tests and view every test being performed for each scan. Or you can write your own attacks.
I installed WebInspect on a Microsoft Windows 2000 workstation--no agents or additional software needed. I ran a full scan against five production Web servers that are part of our Syracuse University Real-World Labs®, four running Microsoft IIS and one running Apache. I also ran an assault scan on a test machine.
No matter which scan you run, the software crawls through the site first, indexing every page and directory. I scanned relatively small sites and each scan took at least an hour. WebInspect then examined each directory, looking for problematic files, such as email_list.txt, old versions of applications and backup files.
|
Good
Discovers coding bugs
Provides excellent report information Easy to use Bad
Full scan takes a long time to complete
License is hard-coded to test Web server IP address Vendor Info WebInspect, starts at $4,995. SPI Dynamics, (866) 774-2700, (678) 781-4800. www.spidynamics.com |
With an attack scan, WebInspect does a combination of Web server testing and client-side script inspection. In my tests, it discovered the test systems all had unpatched buffer-overflow vulnerabilities. It also found bugs in several Web applications, including Microsoft FrontPage. The software tests parameter manipulation, cross-site scripting and pages or parameters that produce database error messages. It does not check or inspect any code or scripts on the server that aren't accessible by a Web user.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
