Google gives away free Web application security scanner
Google has released for free one of its internal tools used for testing the security of Web-based applications.
Ratproxy, released under an Apache 2.0 software license, looks for a variety of coding problems in Web applications, such as errors that could allow a cross-site scripting attack or cause caching problems. "We decided to make this tool freely available as open source because we feel it will be a valuable contribution to the information security community, helping advance the community's understanding of security challenges associated with contemporary web technologies," wrote Google's Michal Zalewski on a company security blog.
Ratproxy -- released as version 1.51 beta -- is quick and less intrusive than other scanners in that it is passive and does not generate a high volume of attack-simulating traffic when running, Zalewski wrote. Active scanners can cause problems with application performance.
The tool sniffs content and can pick out snippets of JavaScript from style sheets. It also supports SSL (Secure Socket Layer) scanning, among other features.
Since it runs in a passive mode, Ratproxy highlights areas of concern that "are not necessarily indicative of actual security flaws. The information gathered during
a testing session should be then interpreted by a security professional with a good understanding of the common problems and security models employed in web
applications," Zalewski wrote.
Google has posted an overview of Ratproxy as well as a download link to the
source code. Code licensed under the Apache 2.0 license may be incorporated in derivative works, including commercial ones, but the origin of the code must be
acknowledged.
Weak web application security continues to embarrass
companies, potentially causing the loss of customer or financial data.
A 2006 survey by the Web Application Security Consortium found that 85.57 percent of 31,373 sites were vulnerable to cross-site scripting attacks, 26.38 percent were vulnerable to SQL injection and 15.70 percent had other faults that could lead to data loss.
As a result, security vendors have moved to fill the
need for better security tools, with large technology companies acquiring smaller, specialized companies in the field.
In June 2007, IBM bought Watchfire, a company that focused on Web application vulnerability scanning,
data protection and compliance auditing. Two weeks later, Hewlett-Packard said it would buy SPI Dynamics, a rival of Watchfire whose software also looks for vulnerabilities in Web applications as well as performing compliance audits.
IDG News Service
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
Enterprise 2.0 Implementation
By Aaron C. Newman, Jeremy Thomas
Published by McGraw-Hill
Learn more!
Deploying Cisco Wide Area Application Services
By Zach Seils, Joel Christner
Published by Cisco Press
Learn more!
