Welcome!

News Feed Item

NT OBJECTives, Inc. NTOSpider Introduces Complex Application Workflows in Automated Security Testing for Unprecedented Accuracy

Extensive User Interface and Scan Enhancements Allows Users to Achieve More Control and Visibility with Application Scanners

IRVINE, Calif., Feb. 19, 2014 /PRNewswire/ -- NT OBJECTives, Inc., provider of the most automated, comprehensive and accurate web application security solutions, announced today that its NTOSpider web application scanner is the first of the application scanners to effectively introduce automated security testing of complex application workflows, including shopping carts and registration sequences, delivering more automation, accuracy and scalability than other application scanners. NTOSpider is now uniquely capable of automatically understanding a workflow sequence and expected results, which enable it to automatically create relevant session states and find web application security vulnerabilities.

NT OBJECTives logo.

Today's businesses and government organizations are delivering sophisticated and complex applications to their customers and security teams are scrambling to keep pace. Large organizations have hundreds or thousands of web applications, many of them with complex workflows. Automated security testing of those workflows with application scanners will save a tremendous amount of time and enable security teams to find more vulnerabilities much sooner. It will also allow web application security teams to focus manual testing efforts where automated security testing is not an option.

"Until now, the only way to accurately test a complex application workflow like shopping cart or invoice processing has been manually. If it takes a tester 16 hours to test a complex workflow by hand and that organization has 20 applications with complex workflows, that can add up to over a month of testing." said Dan Kuykendall, co-CEO and CTO of NT OBJECTives. "When you're a global organization, with hundreds or thousands of applications, and you need to do quarterly web application security assessments, testing by hand just doesn't scale, vulnerabilities end up being missed or applications are not tested at all.

Application scanners' automated security testing traditionally consists of two phases. First is the crawl phase during which the scanner gathers information about the application and its attack vectors. This information is then used to perform the second part, the attack phase, during which the scanner randomly attacks the functionality. While attacking randomly is good for a lot of functionality, it does not work for complex workflows.

In an application workflow, data is being passed from one step to the next and in order to find web application security vulnerabilities, it is critical to use valid test data and pass it through just as the workflow prescribes. For example, in a shopping cart application, a user adds an item to their cart, clicks checkout, enters their address and credit card data and finally makes their purchase. Each step required data to be passed from the previous in order to complete the order. When conducting automated security testing, if application scanners attack the steps in a complex workflow randomly, it will miss vulnerabilities. For example, the scanner might attack a shipping form, but because there are no items in the cart, the application informs the user that they have no items in their cart and discards the attack payloads. The scanner doesn't even know this happened and misses web application security vulnerabilities as a result.

In automated security testing, application scanners must also follow the workflow through in its entirety. It is not enough to follow the workflow up to the point of attack. Imagine, for example, that the scanner attempts a SQL injection attack on the 'last name' field in the billing form. At that point the data is often held in temporary session storage. It isn't until the order confirmation page, when the user confirms the order and the information is sent to the SQL server, that the attack is executed. So if application scanners don't complete the workflow, the attack is never executed and the SQL injection vulnerability goes undetected.

The new release of NTOSpider, unlike other application scanners, properly respects the order of the workflow, which allows the attack payloads to be delivered into the application code where it can discover the web application security vulnerabilities.

"This new release of NTOSpider holds just one of the many innovations we have in store for automated security testing. Our roadmap has many exciting advancements that will enable our customers to continue to assess modern web applications efficiently and accurately and will strengthen our position as the leading innovator in web application security scanning."

To read more about how NTOSpider handles complex application workflows and other recent automated security testing innovations for software development and QA teams, visit www.ntobjectives.com or call 1-877-NTO-WEBS (1-877-686-9327).

Tweet: @ntobjectives adds complex application workflow support to #NTOSpider for improved #webappsec testing accuracy http://bit.ly/1jcH7mq

About NT OBJECTives, Inc.

NT OBJECTives, Inc. (NTO) is a provider of the most comprehensive and accurate automated security testing software, services and SaaS for web applications. NTO's customizable suite of solutions includes application security testing, SaaS scanning and in-depth consulting services to help companies build the most comprehensive, efficient and accurate web application security program. NT OBJECTives is privately held with headquarters in Irvine, CA. For more information, visit www.ntobjectives.com or follow us on Twitter at @ntobjectives or @dan_kuykendall.

Logo: http://photos.prnewswire.com/prnh/20131111/MM14750LOGO

SOURCE NT OBJECTives, Inc.

More Stories By PR Newswire

Copyright © 2007 PR Newswire. All rights reserved. Republication or redistribution of PRNewswire content is expressly prohibited without the prior written consent of PRNewswire. PRNewswire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
We are always online. We access our data, our finances, work, and various services on the Internet. But we live in a congested world of information in which the roads were built two decades ago. The quest for better, faster Internet routing has been around for a decade, but nobody solved this problem. We’ve seen band-aid approaches like CDNs that attack a niche's slice of static content part of the Internet, but that’s it. It does not address the dynamic services-based Internet of today. It does...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life sett...
The WebRTC Summit New York, to be held June 6-8, 2017, at the Javits Center in New York City, NY, announces that its Call for Papers is now open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 20th International Cloud Expo and @ThingsExpo. WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web ...
20th Cloud Expo, taking place June 6-8, 2017, at the Javits Center in New York City, NY, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy.
WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web communications world. The 6th WebRTC Summit continues our tradition of delivering the latest and greatest presentations within the world of WebRTC. Topics include voice calling, video chat, P2P file sharing, and use cases that have already leveraged the power and convenience of WebRTC.
Without lifecycle traceability and visibility across the tool chain, stakeholders from Planning-to-Ops have limited insight and answers to who, what, when, why and how across the DevOps lifecycle. This impacts the ability to deliver high quality software at the needed velocity to drive positive business outcomes. In his general session at @DevOpsSummit at 19th Cloud Expo, Phil Hombledal, Solution Architect at CollabNet, discussed how customers are able to achieve a level of transparency that e...
"We're a cybersecurity firm that specializes in engineering security solutions both at the software and hardware level. Security cannot be an after-the-fact afterthought, which is what it's become," stated Richard Blech, Chief Executive Officer at Secure Channels, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
The Internet of Things (IoT) promises to simplify and streamline our lives by automating routine tasks that distract us from our goals. This promise is based on the ubiquitous deployment of smart, connected devices that link everything from industrial control systems to automobiles to refrigerators. Unfortunately, comparatively few of the devices currently deployed have been developed with an eye toward security, and as the DDoS attacks of late October 2016 have demonstrated, this oversight can ...
Fact is, enterprises have significant legacy voice infrastructure that’s costly to replace with pure IP solutions. How can we bring this analog infrastructure into our shiny new cloud applications? There are proven methods to bind both legacy voice applications and traditional PSTN audio into cloud-based applications and services at a carrier scale. Some of the most successful implementations leverage WebRTC, WebSockets, SIP and other open source technologies. In his session at @ThingsExpo, Da...
Kubernetes is a new and revolutionary open-sourced system for managing containers across multiple hosts in a cluster. Ansible is a simple IT automation tool for just about any requirement for reproducible environments. In his session at @DevOpsSummit at 18th Cloud Expo, Patrick Galbraith, a principal engineer at HPE, discussed how to build a fully functional Kubernetes cluster on a number of virtual machines or bare-metal hosts. Also included will be a brief demonstration of running a Galera MyS...
Internet-of-Things discussions can end up either going down the consumer gadget rabbit hole or focused on the sort of data logging that industrial manufacturers have been doing forever. However, in fact, companies today are already using IoT data both to optimize their operational technology and to improve the experience of customer interactions in novel ways. In his session at @ThingsExpo, Gordon Haff, Red Hat Technology Evangelist, will share examples from a wide range of industries – includin...
Unless your company can spend a lot of money on new technology, re-engineering your environment and hiring a comprehensive cybersecurity team, you will most likely move to the cloud or seek external service partnerships. In his session at 18th Cloud Expo, Darren Guccione, CEO of Keeper Security, revealed what you need to know when it comes to encryption in the cloud.
Organizations planning enterprise data center consolidation and modernization projects are faced with a challenging, costly reality. Requirements to deploy modern, cloud-native applications simultaneously with traditional client/server applications are almost impossible to achieve with hardware-centric enterprise infrastructure. Compute and network infrastructure are fast moving down a software-defined path, but storage has been a laggard. Until now.
We're entering the post-smartphone era, where wearable gadgets from watches and fitness bands to glasses and health aids will power the next technological revolution. With mass adoption of wearable devices comes a new data ecosystem that must be protected. Wearables open new pathways that facilitate the tracking, sharing and storing of consumers’ personal health, location and daily activity data. Consumers have some idea of the data these devices capture, but most don’t realize how revealing and...
"We are an all-flash array storage provider but our focus has been on VM-aware storage specifically for virtualized applications," stated Dhiraj Sehgal of Tintri in this SYS-CON.tv interview at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.