Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[ISN] Software Acts As Robotic Hacker
From: InfoSec News (isnC4I.ORG)
Date: Thu Jun 22 2000 - 00:52:10 CDT
By Rutrell Yasin, InternetWeek
Jun 21, 2000 (3:25 PM)
The best way to determine if your IT infrastructure is secure is to
have a hacker try to break into your corporate systems. Short of that,
software that simulates attacks is the next best thing. Wednesday,
Sanctum rolled out an automated audit tool that analyzes Web
applications, points to security glitches, and provides advice on how
to fix any vulnerability.
Generally, security holes are found within in-house or third-party
applications. Sanctum (formerly Perfecto Technologies) already
provides software called AppShield that prevents unauthorized users
from manipulating any type of application. AppShield recognizes the
application's security policy by analyzing the outbound HTML pages and
then enforces compliance with the policy for each incoming HTTP
However, a large e-business with "5,000 Web servers can't apply
AppShield on every server," said Eran Reshef, Sanctum's co-founder and
senior vice president. As a result, the new AppScan is designed to
automatically ferret out and repair glitches that would normally take
IT managers hours to manually patch and upgrade, Reshef added.
At the heart of AppScan is the Policy Recognition Engine, which
analyzes the application while an auditor browses through it.
AppScan's RoboHacker feature can then generate potential hacks such as
hidden manipulation code, parameter tampering, cookie poisoning and
buffer overflows, as well as search for dangerous content.
If an attack is successful, it can be written into a report, and
advice on how to fix the problem is generated by the RoboAdvisor
AppScan performs the "same functions that a good consulting firm would
do when it performs a penetration test," said Gartner Group analyst
However, the tool may be too sophisticated for the average e-business,
which lacks security expertise in-house, Pescatore said.
"For the tool to be effective, companies would need a real smart
person to initiate the attack and then to interpret the results," he
said. "It might be beyond what [the typical] e-businesses can do,
except for the high-end sites with expertise in-house."
Pescatore said the tool would initially be popular among consultants
who perform security audits for companies. Reshef said Yahoo (stock:
YHOO) and Lycos's (stock: LCOS) Quote.com are early beta testers of
AppScan will be available in the third quarter. Pricing is
subscription-based, ranging between $20,000 and $75,000 per auditor.
ISN is hosted by SecurityFocus.com
To unsubscribe email LISTSERVSecurityFocus.com with a message body of