Dr. Dobb's is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Channels ▼

Jolt Awards

Jolts 2007: Security

Jolt Winner


Armando Bioc, Security Consultant

AppScan has earned a place as a must-have security tool. AppScan has the ability to scan web applications as well as web services for security risks. It also provides a range of scan types, depending on how extensive a scan is needed. It includes a wide range of test types to tailor scans to specific needs. Platform concerns can be put at ease, as AppScan supports both .NET and J2EE. Not only is AppScan a tool for security teams, but it is intended for use within infrastructure, QA, and development teams as well. Scans can be run for wide ranging, all-encompassing tests, but also to search for specific vulnerabilities.

The Test Policy Manager gives users a clear presentation of which tests are being run, as well as how the tests are being run. This makes it easy to read and understand the extent of the tests. As if running comprehensive tests were not enough, AppScan has the ability to compare tests over time. This is one impressive feature -- this means that you can view the changes of test scenarios and application security over time. This helps to identify trends in application stability from one time to another.

However, finding weaknesses is one thing, resolving them is another. AppScan does just that by providing recommended fixes for the vulnerabilities that it detects, and provides information specific to .NET or J2EE, depending on your platform. In addition to security scanning and reporting problems, it also gives a very useful screen capture feature to associate a visual record to go with the results. Whatever you do, donÕt overlook this feature. While AppScan provides a great deal of information on vulnerabilities and remedies, the screen capture feature allows you to associate actual output to specific test results of your own application for future use. This means that the more you use AppScan for your application, the better your team will be at understanding, tracking-down, and resolving issues within the context of your own application.

--Jon Kurz

Productivity Award

SPI Dynamics

We've all seen the increasing focus on security in the past few years. That puts a lot of pressure on developers to improve the security of their applications but most developers don't know much about security techniques. Fortunately, some new tools are arriving to help developers recognize security issues and fix them.

DevInspect takes an interesting approach. It is integrated with Visual Studio and Eclipse. The developer can use it to scan their current project and report on the current vulnerabilities. For each vulnerability, the DevInspect report includes a description of the vulnerability, an explanation of the risk level, and the recommended fix, including web links to more useful information.

The result is a useful tool that educates developers at the same time as it provides targeted information about the current project.

--Hugh Bawtree

Productivity Award

Fortify Source Code Analysis (SCA) 4.0
Fortify Software

Real-world developers code in many different programming languages, but the problems with application security remain the same regardless of the codebase. Fortify Software addresses this fact with their Source Code Analysis tool that can parse some of the most popular code syntax including C and C++, Cold Fusion, Java, .NET, SQL, and XML, and scans for over 150 vulnerability categories. Results can be shared via comprehensive issue, portfolio and trend web-based report sets and policy-based alert notifications in the event of vulnerability detection. Fortify SCA integrates with many automated build tools, and even includes an open-source Java code quality scanner called FindBugs that can identify over 250 bug types.

One of Fotify SCA's more notable aspects is its ability to rank issue criticality and recommend an optimal course of action for such identified problems. These results can be annotated as well for further analysis and auditing needs.

--Mike Riley

Productivity Award

Metasploit Framework

Everyone involved in security testing should know about Metasploit. It's an open-source framework for developing exploit code, running the exploits, and executing the corresponding payload when the exploit succeeds. Metasploit can be a scary tool because it can just as easily be used by the bad guys. This is good motivation to test each web before the app is deployed on the Internet.

With Version 3.0, Metasploit has been rewritten in Ruby and now includes Exploit Automation, so a set of exploits and payloads can be automated for each target. That means any subset of Metasploit's entire history of exploits and payloads can now be run automatically against one target, testing and retesting until it finds a vulnerability. Once it finds a vulnerability, the corresponding payload code (e.g., a remote shell or VNC server) is used to gain access to the target.

Use it before it is used against you!

--Hugh Bawtree

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.