Monday, June 11, 2007

Rolling Reviews: SPI Dynamics WebInspect

Last month I blogged that Jordan Wiens of Network Computing would be conducting Rolling Reviews of Web Applications Scanners. First up is the review of SPI Dynamics's WebInspect product. As expected Jordan isn't making this cake walk for vendors. He knows his webappsec stuff and will dig deep into the results, especially around the Ajax claims. Ajax is a tough problem to solve and is likely unsolvable. Ajax is also unlikely to make web applications less secure, but definitely makes them harder to assess. Next up, Cenzic ARC (Application Risk Controller) .

2 comments:

Ory said...

Hey,

Quote: "Ajax is a tough problem to solve and is likely unsolvable" --

There you go again, talking about "unsolvable" problem :-)

I have a feeling that exploring and testing AJAX applications will seem like a "natural" thing soon enough. You shouldn't give up on technology so fast.

Jeremiah Grossman said...

Im using the word "unsolvable" in a more mathematical turing/undecidable/halting sense, which seems to be what we're working towards. I think we can make some good progress with JavaScript in the future (already been working on it for years), indeed we already have. But new web pages better represent running applications now rather than traditional document style web pages.

http://en.wikipedia.org/wiki/Halting_problem

"Given a description of a program and a finite input, decide whether the program finishes running or will run forever, given that input.

Alan Turing proved in 1936 that a general algorithm to solve the halting problem for all possible program-input pairs cannot exist. We say that the halting problem is undecidable over Turing machines."


Don't agree?

Maybe your tech will surpass all others. We'll just have to wait and see. :)