@stake Announces Release 2 of WebProxy; Interactive Security Tool Created by Renowned Security Experts Helps Software Engineers Build More Secure Web Applications.Business Editors/High-Tech Writers CAMBRIDGE, Mass.--(BUSINESS WIRE)--Dec. 17, 2002 @stake, Inc., (www.atstake.com) the world's largest independent digital security consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a , today announced the immediate commercial availability of @stake(R) WebProxy(TM), a powerful interactive security tool that helps software developers, quality assurance engineers, and security professionals test and enhance the security of Web applications. Sitting between the developer's browser and the Web application, WebProxy acts as a 'proxy' to let the developer observe precisely how the Web application responds to staged attacks, such as those that use buffer overflows, SQL injection SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not , cookie manipulation, cross-site scripting See XSS. or parameter manipulation. By identifying security vulnerabilities while applications are still in development, companies can cost-effectively improve the overall security of any Web application(1). "Today's Web applications are subject to malicious activity by both authorized and unauthorized users," said Charles Kolodgy, Research Manager for Internet Security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. at IDC. "To combat this, corporations need to make sure that their applications are designed to protect data as it is being processed and stored." Several studies have indicated that it is more cost-effective to address security vulnerabilities in software applications during the development phase versus after the application has been released to customers. If a malicious attack is successful on a Web application that is already in commercial use or production, companies must face costs associated with removing the application from production, assessing the damage to the application and the data it manages, as well as potentially considerable costs associated with loss of reputation and customer confidence that may result from the attack. "Security in today's software industry is dominated by a penetrate-and-patch mentality, where the security of an application is more likely to be addressed after it has been released to customers," said Christopher A.R. Darby, Chairman and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of @stake. "As digital security consultants, we've helped hundreds of clients rectify Web application security flaws that could have been more easily and cost-effectively addressed during development or quality assurance testing. With the commercial introduction of @stake WebProxy, we're offering a powerful tool to help companies make immediate improvements in the security of any Web application." About the New Release @stake WebProxy was originally developed as a proprietary tool to be used exclusively by the company's security consultants on client engagements to assess Web applications for common security vulnerabilities. Since @stake posted the first release of WebProxy in April 2002 as a free, undocumented tool on the company's Web site, over 20,000 people have downloaded a copy. Because of the overwhelming response, the company has made a number of enhancements to the commercial release, including a new user interface, improved installation, comprehensive new documentation, and powerful new automated testing (testing) automated testing - Software testing assisted with software tools that require no operator input, analysis, or evaluation. features. How WebProxy Works Designed to act as an HTTP/HTTPS proxy server Also called a "proxy," it is a computer system or router that breaks the connection between sender and receiver. Functioning as a relay between client and server, proxy servers are used to help prevent an attacker from invading the private network. , @stake WebProxy allows monitoring and manipulation of requests made by the browser to the Web application. @stake WebProxy offers the following features and benefits: -- Re-submission and on-the-fly editing of previous requests, which allows the developer to test custom application attack scenarios. Editing capabilities include support for parsing See parse. parsing - parser of query parameters, request headers, and POST parameters, as well as cookie editing. Requests can be automatically modified based on a matching regular expression for ease-of-use. -- Logging of requests and replies to text files, allowing the developer to maintain a record of past requests for use in regression testing In software development, testing a program that has been modified in order to ensure that additional bugs have not been introduced. When a program is enhanced, testing is often done only on the new features. . -- Dynamic certificate generation, enabling transparent support for testing SSL-enabled applications. -- Cookie management, hashing, and decoding utilities, providing a convenient interface for analyzing encoded application traffic. -- Quashing of header parameters, allowing the developer to observe how the application reacts when certain headers are missing. In addition, the following features have been added to the commercial release: -- Automated fault injection or "fuzzing See fuzz testing. " of request parameters, which can be used to test for SQL injection, directory traversal A directory traversal is to exploit insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" is passed through to the file APIs. , cross-site scripting, buffer overflows and character set vulnerabilities. -- Support for Proxy Chaining, which allows WebProxy to be used in conjunction with existing proxy servers. -- Comprehensive new documentation. -- New user interface. -- Performance enhancements. System Requirements To be used efficiently, all computer software needs certain hardware components or other software resources to be present on a computer system. These pre-requisites are known as (computer) system requirements and are often used as a guideline as opposed to an absolute rule. WebProxy can be used to test Web applications that are running on any platform. WebProxy runs on the developer's client system, which can be any of the following: -- Microsoft Windows (Win32) including NT, 2000, and XP -- Sun Solaris (SPARC) with X-Windows -- Linux (x86) with X-Windows WebProxy has been designed to work with any Web browser The program that serves as your front end to the Web on the Internet. In order to view a site, you type its address (URL) into the browser's Location field; for example, www.computerlanguage.com, and the home page of that site is downloaded to you. that has proxy support. Release 2 of WebProxy has been tested with Netscape 4.79 and 6.2, Internet Explorer Microsoft's Web browser, which comes with Windows starting with Windows 98. Commonly called "IE," versions for Mac and Unix are also available. Internet Explorer is the most widely used Web browser on the market. It has also been the browser engine in AOL's Internet access software. 5.5 and 6.0, and Mozilla 1.1. Licensing, Pricing and Support A Free Demonstration & Evaluation version of @stake WebProxy is available at www.atstake.com/webproxy. This version does not support SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. , but developers can test all other WebProxy features using the first three fields of any Web form. Enterprise Licenses are available to individual or groups of developers building applications for internal use, or commercial off-the-shelf Commercial off-the-shelf (COTS) is a term for software or hardware, generally technology or computer products, that are ready-made and available for sale, lease, or license to the general public. (COTS) applications for sale to customers. -- The Single User Enterprise License allows one individual to use WebProxy to test an unlimited number of Web applications, and is offered for $995, which includes one year of technical support and software maintenance. -- Multi-user Enterprise Licenses are available for 5 users at $4,725, 10 users at $8,950 and 25 users at $21,000, which include one year of technical support and software maintenance. After the first year, technical support and software maintenance are available for 20% of the list price. Consulting Licenses are available to professional IT or security consulting organizations. -- The Single User Consultant License allows one individual to use WebProxy to test an unlimited number of Web applications for an unlimited number of clients, and is offered for $2,985, which includes one year of technical support and software maintenance. -- Multi-user Consultant Licenses are available for 5 users at $14,000, 10 users at $27,000 and 25 users at $63,000, which include one year of technical support and software maintenance. After the first year, technical support and software maintenance are available for 20% of the list price. Site licenses are also available. Please call us at 617.768.2715 to discuss your requirements. Special Introductory Offers -- For upgraders: WebProxy Release 1 users who place an order for Release 2 by December 31, 2002 qualify for a special upgrade price of $500 for a full Single User Enterprise License. To request the special upgrade pricing, visit www.atstake.com/webproxy. -- Free Copy for @stake Academy Students: WebProxy is covered in two @stake Academy courses, "Application Security Principals" and "Cyber Attacks & Countermeasures That form of military science that, by the employment of devices and/or techniques, has as its objective the impairment of the operational effectiveness of enemy activity. See also electronic warfare. ." Attendees to either @stake Academy course held between today and March 31, 2003 qualify for a free Single User Enterprise License. To register for a course, visit www.atstake.com/services/education. Availability & Ordering @stake WebProxy may be purchased from www.atstake.com/webproxy using MasterCard, VISA or American Express American Express (NYSE: AXP), sometimes known as "AmEx" or "Amex", is a diversified global financial services company, headquartered in New York City. The company is best known for its credit card, charge card and traveler's cheque businesses. . To submit a purchase order, please send a fax to 617.621.3073, or to place an order by telephone, please call 617.768.2715. About @stake Security Tools In addition to WebProxy, the security experts at @stake have authored a number of useful security tools and administration utilities for IT and security professionals, including @stake LC4, the award-winning password auditing tool used by thousands of IT professionals around the world. To find out how to purchase LC4, or for more information, visit www.atstake.com/research/tools. About @stake @stake, Inc., the world's largest independent digital consulting firm, provides digital security services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the and award-winning tools to secure critical infrastructure and protect electronic relationships. The company's SmartRisk(SM) services cover all aspects of security, including applications, critical infrastructure, wireless and wired networks, storage systems, and forensic analysis. @stake consultants combine business experience and technical expertise to create comprehensive security solutions for leading companies in financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. , telecommunications, energy, healthcare, and manufacturing. Using the @stake Security Blueprint(TM), clients keep security investments in line with business requirements. Headquartered in Cambridge, MA, @stake has offices in London, New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of , Raleigh, San Francisco San Francisco (săn frănsĭs`kō), city (1990 pop. 723,959), coextensive with San Francisco co., W Calif., on the tip of a peninsula between the Pacific Ocean and San Francisco Bay, which are connected by the strait known as the Golden , and Seattle. For more information, go to www.atstake.com. (1) See "The Security of Applications: Not All are Created Equal," A. Jaquith, @stake, available at http://www.atstake.com/research/reports |
|
||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion