|By PR Newswire||
|February 19, 2014 02:04 PM EST||
IRVINE, Calif., Feb. 19, 2014 /PRNewswire/ -- NT OBJECTives, Inc., provider of the most automated, comprehensive and accurate web application security solutions, announced today that its NTOSpider web application scanner is the first of the application scanners to effectively introduce automated security testing of complex application workflows, including shopping carts and registration sequences, delivering more automation, accuracy and scalability than other application scanners. NTOSpider is now uniquely capable of automatically understanding a workflow sequence and expected results, which enable it to automatically create relevant session states and find web application security vulnerabilities.
Today's businesses and government organizations are delivering sophisticated and complex applications to their customers and security teams are scrambling to keep pace. Large organizations have hundreds or thousands of web applications, many of them with complex workflows. Automated security testing of those workflows with application scanners will save a tremendous amount of time and enable security teams to find more vulnerabilities much sooner. It will also allow web application security teams to focus manual testing efforts where automated security testing is not an option.
"Until now, the only way to accurately test a complex application workflow like shopping cart or invoice processing has been manually. If it takes a tester 16 hours to test a complex workflow by hand and that organization has 20 applications with complex workflows, that can add up to over a month of testing." said Dan Kuykendall, co-CEO and CTO of NT OBJECTives. "When you're a global organization, with hundreds or thousands of applications, and you need to do quarterly web application security assessments, testing by hand just doesn't scale, vulnerabilities end up being missed or applications are not tested at all.
Application scanners' automated security testing traditionally consists of two phases. First is the crawl phase during which the scanner gathers information about the application and its attack vectors. This information is then used to perform the second part, the attack phase, during which the scanner randomly attacks the functionality. While attacking randomly is good for a lot of functionality, it does not work for complex workflows.
In an application workflow, data is being passed from one step to the next and in order to find web application security vulnerabilities, it is critical to use valid test data and pass it through just as the workflow prescribes. For example, in a shopping cart application, a user adds an item to their cart, clicks checkout, enters their address and credit card data and finally makes their purchase. Each step required data to be passed from the previous in order to complete the order. When conducting automated security testing, if application scanners attack the steps in a complex workflow randomly, it will miss vulnerabilities. For example, the scanner might attack a shipping form, but because there are no items in the cart, the application informs the user that they have no items in their cart and discards the attack payloads. The scanner doesn't even know this happened and misses web application security vulnerabilities as a result.
In automated security testing, application scanners must also follow the workflow through in its entirety. It is not enough to follow the workflow up to the point of attack. Imagine, for example, that the scanner attempts a SQL injection attack on the 'last name' field in the billing form. At that point the data is often held in temporary session storage. It isn't until the order confirmation page, when the user confirms the order and the information is sent to the SQL server, that the attack is executed. So if application scanners don't complete the workflow, the attack is never executed and the SQL injection vulnerability goes undetected.
The new release of NTOSpider, unlike other application scanners, properly respects the order of the workflow, which allows the attack payloads to be delivered into the application code where it can discover the web application security vulnerabilities.
"This new release of NTOSpider holds just one of the many innovations we have in store for automated security testing. Our roadmap has many exciting advancements that will enable our customers to continue to assess modern web applications efficiently and accurately and will strengthen our position as the leading innovator in web application security scanning."
To read more about how NTOSpider handles complex application workflows and other recent automated security testing innovations for software development and QA teams, visit www.ntobjectives.com or call 1-877-NTO-WEBS (1-877-686-9327).
Tweet: @ntobjectives adds complex application workflow support to #NTOSpider for improved #webappsec testing accuracy http://bit.ly/1jcH7mq
About NT OBJECTives, Inc.
NT OBJECTives, Inc. (NTO) is a provider of the most comprehensive and accurate automated security testing software, services and SaaS for web applications. NTO's customizable suite of solutions includes application security testing, SaaS scanning and in-depth consulting services to help companies build the most comprehensive, efficient and accurate web application security program. NT OBJECTives is privately held with headquarters in Irvine, CA. For more information, visit www.ntobjectives.com or follow us on Twitter at @ntobjectives or @dan_kuykendall.
SOURCE NT OBJECTives, Inc.
In a recent research, analyst firm IDC found that the average cost of a critical application failure is $500,000 to $1 million per hour and the average total cost of unplanned application downtime is $1.25 billion to $2.5 billion per year for Fortune 1000 companies. In addition to the findings on the cost of the downtime, the research also highlighted best practices for development, testing, application support, infrastructure, and operations teams.
Aug. 3, 2015 09:30 AM EDT Reads: 195
There are many considerations when moving applications from on-premise to cloud. It is critical to understand the benefits and also challenges of this migration. A successful migration will result in lower Total Cost of Ownership, yet offer the same or higher level of robustness. In his session at 15th Cloud Expo, Michael Meiner, an Engineering Director at Oracle, Corporation, analyzed a range of cloud offerings (IaaS, PaaS, SaaS) and discussed the benefits/challenges of migrating to each offe...
Aug. 3, 2015 07:30 AM EDT Reads: 180
Mobile, social, Big Data, and cloud have fundamentally changed the way we live. “Anytime, anywhere” access to data and information is no longer a luxury; it’s a requirement, in both our personal and professional lives. For IT organizations, this means pressure has never been greater to deliver meaningful services to the business and customers.
Aug. 3, 2015 07:15 AM EDT Reads: 227
Container technology is sending shock waves through the world of cloud computing. Heralded as the 'next big thing,' containers provide software owners a consistent way to package their software and dependencies while infrastructure operators benefit from a standard way to deploy and run them. Containers present new challenges for tracking usage due to their dynamic nature. They can also be deployed to bare metal, virtual machines and various cloud platforms. How do software owners track the usag...
Aug. 3, 2015 06:45 AM EDT Reads: 257
"We've just seen a huge influx of new partners coming into our ecosystem, and partners building unique offerings on top of our API set," explained Seth Bostock, Chief Executive Officer at IndependenceIT, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
Aug. 2, 2015 10:00 PM EDT Reads: 679
Digital Transformation is the ultimate goal of cloud computing and related initiatives. The phrase is certainly not a precise one, and as subject to hand-waving and distortion as any high-falutin' terminology in the world of information technology. Yet it is an excellent choice of words to describe what enterprise IT—and by extension, organizations in general—should be working to achieve. Digital Transformation means: handling all the data types being found and created in the organizat...
Aug. 2, 2015 06:00 PM EDT Reads: 1,129
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
Aug. 2, 2015 05:45 PM EDT Reads: 513
Chuck Piluso presented a study of cloud adoption trends and the power and flexibility of IBM Power and Pureflex cloud solutions. Prior to Secure Infrastructure and Services, Mr. Piluso founded North American Telecommunication Corporation, a facilities-based Competitive Local Exchange Carrier licensed by the Public Service Commission in 10 states, serving as the company's chairman and president from 1997 to 2000. Between 1990 and 1997, Mr. Piluso served as chairman & founder of International Te...
Aug. 2, 2015 04:00 PM EDT Reads: 426
The Software Defined Data Center (SDDC), which enables organizations to seamlessly run in a hybrid cloud model (public + private cloud), is here to stay. IDC estimates that the software-defined networking market will be valued at $3.7 billion by 2016. Security is a key component and benefit of the SDDC, and offers an opportunity to build security 'from the ground up' and weave it into the environment from day one. In his session at 16th Cloud Expo, Reuven Harrison, CTO and Co-Founder of Tufin,...
Aug. 2, 2015 03:00 PM EDT Reads: 549
SYS-CON Events announced today that MobiDev, a software development company, will exhibit at the 17th International Cloud Expo®, which will take place November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software development company with representative offices in Atlanta (US), Sheffield (UK) and Würzburg (Germany); and development centers in Ukraine. Since 2009 it has grown from a small group of passionate engineers and business managers to a full-scale mobi...
Aug. 2, 2015 12:00 PM EDT Reads: 349
With SaaS use rampant across organizations, how can IT departments track company data and maintain security? More and more departments are commissioning their own solutions and bypassing IT. A cloud environment is amorphous and powerful, allowing you to set up solutions for all of your user needs: document sharing and collaboration, mobile access, e-mail, even industry-specific applications. In his session at 16th Cloud Expo, Shawn Mills, President and a founder of Green House Data, discussed h...
Aug. 2, 2015 11:45 AM EDT Reads: 481
For IoT to grow as quickly as analyst firms’ project, a lot is going to fall on developers to quickly bring applications to market. But the lack of a standard development platform threatens to slow growth and make application development more time consuming and costly, much like we’ve seen in the mobile space. In his session at @ThingsExpo, Mike Weiner, Product Manager of the Omega DevCloud with KORE Telematics Inc., discussed the evolving requirements for developers as IoT matures and conducte...
Aug. 2, 2015 11:15 AM EDT Reads: 357
One of the hottest areas in cloud right now is DRaaS and related offerings. In his session at 16th Cloud Expo, Dale Levesque, Disaster Recovery Product Manager with Windstream's Cloud and Data Center Marketing team, will discuss the benefits of the cloud model, which far outweigh the traditional approach, and how enterprises need to ensure that their needs are properly being met.
Aug. 2, 2015 09:00 AM EDT Reads: 1,698
In their session at 17th Cloud Expo, Hal Schwartz, CEO of Secure Infrastructure & Services (SIAS), and Chuck Paolillo, CTO of Secure Infrastructure & Services (SIAS), provide a study of cloud adoption trends and the power and flexibility of IBM Power and Pureflex cloud solutions. In his role as CEO of Secure Infrastructure & Services (SIAS), Hal Schwartz provides leadership and direction for the company.
Aug. 2, 2015 08:15 AM EDT Reads: 186
The Internet of Everything (IoE) brings together people, process, data and things to make networked connections more relevant and valuable than ever before – transforming information into knowledge and knowledge into wisdom. IoE creates new capabilities, richer experiences, and unprecedented opportunities to improve business and government operations, decision making and mission support capabilities.
Aug. 1, 2015 10:00 AM EDT Reads: 339