Welcome!

News Feed Item

NT OBJECTives, Inc. NTOSpider Introduces Complex Application Workflows in Automated Security Testing for Unprecedented Accuracy

Extensive User Interface and Scan Enhancements Allows Users to Achieve More Control and Visibility with Application Scanners

IRVINE, Calif., Feb. 19, 2014 /PRNewswire/ -- NT OBJECTives, Inc., provider of the most automated, comprehensive and accurate web application security solutions, announced today that its NTOSpider web application scanner is the first of the application scanners to effectively introduce automated security testing of complex application workflows, including shopping carts and registration sequences, delivering more automation, accuracy and scalability than other application scanners. NTOSpider is now uniquely capable of automatically understanding a workflow sequence and expected results, which enable it to automatically create relevant session states and find web application security vulnerabilities.

NT OBJECTives logo.

Today's businesses and government organizations are delivering sophisticated and complex applications to their customers and security teams are scrambling to keep pace. Large organizations have hundreds or thousands of web applications, many of them with complex workflows. Automated security testing of those workflows with application scanners will save a tremendous amount of time and enable security teams to find more vulnerabilities much sooner. It will also allow web application security teams to focus manual testing efforts where automated security testing is not an option.

"Until now, the only way to accurately test a complex application workflow like shopping cart or invoice processing has been manually. If it takes a tester 16 hours to test a complex workflow by hand and that organization has 20 applications with complex workflows, that can add up to over a month of testing." said Dan Kuykendall, co-CEO and CTO of NT OBJECTives. "When you're a global organization, with hundreds or thousands of applications, and you need to do quarterly web application security assessments, testing by hand just doesn't scale, vulnerabilities end up being missed or applications are not tested at all.

Application scanners' automated security testing traditionally consists of two phases. First is the crawl phase during which the scanner gathers information about the application and its attack vectors. This information is then used to perform the second part, the attack phase, during which the scanner randomly attacks the functionality. While attacking randomly is good for a lot of functionality, it does not work for complex workflows.

In an application workflow, data is being passed from one step to the next and in order to find web application security vulnerabilities, it is critical to use valid test data and pass it through just as the workflow prescribes. For example, in a shopping cart application, a user adds an item to their cart, clicks checkout, enters their address and credit card data and finally makes their purchase. Each step required data to be passed from the previous in order to complete the order. When conducting automated security testing, if application scanners attack the steps in a complex workflow randomly, it will miss vulnerabilities. For example, the scanner might attack a shipping form, but because there are no items in the cart, the application informs the user that they have no items in their cart and discards the attack payloads. The scanner doesn't even know this happened and misses web application security vulnerabilities as a result.

In automated security testing, application scanners must also follow the workflow through in its entirety. It is not enough to follow the workflow up to the point of attack. Imagine, for example, that the scanner attempts a SQL injection attack on the 'last name' field in the billing form. At that point the data is often held in temporary session storage. It isn't until the order confirmation page, when the user confirms the order and the information is sent to the SQL server, that the attack is executed. So if application scanners don't complete the workflow, the attack is never executed and the SQL injection vulnerability goes undetected.

The new release of NTOSpider, unlike other application scanners, properly respects the order of the workflow, which allows the attack payloads to be delivered into the application code where it can discover the web application security vulnerabilities.

"This new release of NTOSpider holds just one of the many innovations we have in store for automated security testing. Our roadmap has many exciting advancements that will enable our customers to continue to assess modern web applications efficiently and accurately and will strengthen our position as the leading innovator in web application security scanning."

To read more about how NTOSpider handles complex application workflows and other recent automated security testing innovations for software development and QA teams, visit www.ntobjectives.com or call 1-877-NTO-WEBS (1-877-686-9327).

Tweet: @ntobjectives adds complex application workflow support to #NTOSpider for improved #webappsec testing accuracy http://bit.ly/1jcH7mq

About NT OBJECTives, Inc.

NT OBJECTives, Inc. (NTO) is a provider of the most comprehensive and accurate automated security testing software, services and SaaS for web applications. NTO's customizable suite of solutions includes application security testing, SaaS scanning and in-depth consulting services to help companies build the most comprehensive, efficient and accurate web application security program. NT OBJECTives is privately held with headquarters in Irvine, CA. For more information, visit www.ntobjectives.com or follow us on Twitter at @ntobjectives or @dan_kuykendall.

Logo: http://photos.prnewswire.com/prnh/20131111/MM14750LOGO

SOURCE NT OBJECTives, Inc.

More Stories By PR Newswire

Copyright © 2007 PR Newswire. All rights reserved. Republication or redistribution of PRNewswire content is expressly prohibited without the prior written consent of PRNewswire. PRNewswire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
Is the ongoing quest for agility in the data center forcing you to evaluate how to be a part of infrastructure automation efforts? As organizations evolve toward bimodal IT operations, they are embracing new service delivery models and leveraging virtualization to increase infrastructure agility. Therefore, the network must evolve in parallel to become equally agile. Read this essential piece of Gartner research for recommendations on achieving greater agility.
Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like “How is my application doing” but no id...
Kubernetes, Docker and containers are changing the world, and how companies are deploying their software and running their infrastructure. With the shift in how applications are built and deployed, new challenges must be solved. In his session at @DevOpsSummit at19th Cloud Expo, Sebastian Scheele, co-founder of Loodse, will discuss the implications of containerized applications/infrastructures and their impact on the enterprise. In a real world example based on Kubernetes, he will show how to ...
SYS-CON Events announced today that Venafi, the Immune System for the Internet™ and the leading provider of Next Generation Trust Protection, will exhibit at @DevOpsSummit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Venafi is the Immune System for the Internet™ that protects the foundation of all cybersecurity – cryptographic keys and digital certificates – so they can’t be misused by bad guys in attacks...
Pulzze Systems was happy to participate in such a premier event and thankful to be receiving the winning investment and global network support from G-Startup Worldwide. It is an exciting time for Pulzze to showcase the effectiveness of innovative technologies and enable them to make the world smarter and better. The reputable contest is held to identify promising startups around the globe that are assured to change the world through their innovative products and disruptive technologies. There w...
SYS-CON Events announced today Telecom Reseller has been named “Media Sponsor” of SYS-CON's 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
To paraphrase someone famous, "The definition of insanity is to do something the same way over and over again and expect a different result". Humans are creatures of habit and when it comes to storage, old habits die hard. Why do we continue to put our faith in legacy storage providers when they haven't invented anything new in decades. Sure, they re-badge their products every couple of years to make their messaging look modern, but ultimately, it's the same old stuff with a new coat of lipsti...
StarNet Communications Corp has announced the addition of three Secure Remote Desktop modules to its flagship X-Win32 PC X server. The new modules enable X-Win32 to safely tunnel the remote desktops from Linux and Unix servers to the user’s PC over encrypted SSH. Traditionally, users of PC X servers deploy the XDMCP protocol to display remote desktop environments such as the Gnome and KDE desktops on Linux servers and the CDE environment on Solaris Unix machines. XDMCP is used primarily on comp...
Smart Cities are here to stay, but for their promise to be delivered, the data they produce must not be put in new siloes. In his session at @ThingsExpo, Mathias Herberts, Co-founder and CTO of Cityzen Data, will deep dive into best practices that will ensure a successful smart city journey.
Using new techniques of information modeling, indexing, and processing, new cloud-based systems can support cloud-based workloads previously not possible for high-throughput insurance, banking, and case-based applications. In his session at 18th Cloud Expo, John Newton, CTO, Founder and Chairman of Alfresco, described how to scale cloud-based content management repositories to store, manage, and retrieve billions of documents and related information with fast and linear scalability. He addres...
SYS-CON Events announced today that StarNet Communications will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. StarNet Communications’ FastX is the industry first cloud-based remote X Windows emulator. Using standard Web browsers (FireFox, Chrome, Safari, etc.) users from around the world gain highly secure access to applications and data hosted on Linux-based servers in a central data center. ...
Aspose.Total for .NET is the most complete package of all file format APIs for .NET as offered by Aspose. It empowers developers to create, edit, render, print and convert between a wide range of popular document formats within any .NET, C#, ASP.NET and VB.NET applications. Aspose compiles all .NET APIs on a daily basis to ensure that it contains the most up to date versions of each of Aspose .NET APIs. If a new .NET API or a new version of existing APIs is released during the subscription peri...
The 19th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Digital Transformation, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportuni...
DevOps at Cloud Expo – being held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Am...
To leverage Continuous Delivery, enterprises must consider impacts that span functional silos, as well as applications that touch older, slower moving components. Managing the many dependencies can cause slowdowns. See how to achieve continuous delivery in the enterprise.