3. security. protection. intelligence.
Today over 70% of attacks against a company‟s
Web site or Web application come at the
„Application Layer‟ not the Network or System
layer.
A complete security solution requires attention at each potential
point of attack.
4. security. protection. intelligence.
A: Enact policies requiring your developers
to write secure code.
Q: So how do we remedy this situation?
•Verify all request parameters are in proper format (via through a
standard library)
•Any unknown or incorrect user data should be logged and
terminated.
5. security. protection. intelligence.
But if you instituted this policy, how
would you effectively enforce it?
What measures would you have in
place to make sure that they comply?
“A unenforceable policy, or one with
out a process to determine the
outlined specifications, is just as
good, as no policy at all.”
8. security. protection. intelligence.
A: Because other Scanners are a security Broadsword,
where ours is a Security Scalpel
WebInspectTM
is NOT meant to replace any tools that are
currently being used, instead it complements them.
Q: How can SPI Dynamics do all of this
and the others can’t?
11. security. protection. intelligence.
WebInspectTM
Scans authentication codes
Assesses security procedures
Carves into confidential data
… Just like a hacker would
Database Server
Internet IDS
Firewall
CC#’s Database
Users Database
Web Server
12. security. protection. intelligence.
WebInspect™, automates our security expertise so that customers can simulate an
advanced web-application attack on their own. WebInspect™ detects holes in
both standard and proprietary applications, and crawls over the entire website in
search of potential security problems.
WebInspect™
15. security. protection. intelligence.
Features & Benefits of WebInspectTM
Unique Focus: Your proprietary Web site or Web application
Superior Scanning: Products codify our security expertise
Extremely Fast: WebInspectTM
runs in minutes/ hours vs. days/
weeks it takes to complete traditional vulnerability assessments
Automated: Continuously maintain your security integrity
Updated: Continuously keep up to date on the latest vulnerabilities
with the online update feature
Simple & Cost Effective: Licensed per IP address or per consultant
Risk-Free: Offered on a trial basis at no cost
16. security. protection. intelligence.
How does WebInspectTM
do this?
Hidden Manipulation
Parameter Tampering
Cookie Poisoning
Stealth Commanding
Forceful Browsing
Backdoor/Debug Options
Configuration Subversion
Vendor–Assisted Hacking
17. security. protection. intelligence.
The SPI Works Product Suite
Use WebInspectTM
to
assess current Web
sites or Web
applications.
Use WebInspectTM
to
QA new applications
during development
prior to release into
production.
Available now
Know your vulnerabilities
Use LogAlertTM
to
audit Web logs to
know if an attacker
has successfully
compromised your
Web site or Web
application.
Use LogAlertTM
after
you have been
attacked for Web log
forensic analysis.
Available now
Know if you have been attacked
Use WebDefendTM
to
proactively stop Web
site or Web application
intrusions.
Available Q2 2002
Proactively stop attacks
WebInspect
Application Assessment
WebDefend
Application Intrusion Protection
LogAlert
Application Log Audit
TM TM
TM
18. security. protection. intelligence.
Our Company
Founded in April 2000 by recognized Information
Security industry experts
Released WebInspectTM
in April 2001
HQ in Atlanta, Georgia
Resellers in New York, Chicago, Washington D.C., Knoxville,
Miami, London
SPI serves clients in each of the following vertical
industries:
HealthCare
Insurance
Financial Services
Government
Global Enterprise
Consulting
19. security. protection. intelligence.
SPI Dynamics is the leading provider of
automated Web Application security products.
SPI develops “hands-off” security products that
contain the knowledge and expertise of an
information security professional embedded in the
code.
The embedded “hacker logic” enables our software to
think for the end-user, making their job easier.