New Users
Home
Analysts & Consultants
People
Channel Advantage
Products
Technology
Case Studies
Awards
About This Guide
Caleb Sima, Enabling Organizations to Prevent Web Application Attacks
Few saw the warning signs surrounding Web application security as early as Caleb Sima, who started working in IT security in 1996 – at the age of 16 – during a time when barely a handful of visionaries had even considered securing Web applications as the burgeoning new security discipline it would become. No one says leadership is easy. In early 2000, SPI Dynamics founders learned just how painful being first can be. Running penetration tests for the leading network security company where they worked, SPI Dynamic co-founder Caleb Sima noticed an odd thing. The quickest way to breach any company’s network was not by hacking through firewalls but by coming in its web applications, disguised as legitimate traffic. It was a gap few had considered – organizations then were focused exclusively on perimeter security. What Caleb saw was that however thick a network’s walls, its web apps were like open windows. The reality was that traditional Internet security products, such as firewalls and intrusion detection systems (IDS), were not providing enough protection; these methods did not ensure the security of the entire Web presence by checking Web application content (HTML pages, scripts, proprietary applications, cookies, and other Web servers and services). A business vision was born. Great idea, people said. Good luck with funding. The internet bubble had burst only months earlier. Any business plan with the word “web” or “internet” in its pitch, investors welcomed like leprosy. The founders – convinced, determined, possibly nuts – pushed on. They took odd jobs, risked their credit ratings, sold their cars. Any dollar not earmarked for food or shelter went into the business. It was a matter of urgency: the number of applications going online was skyrocketing, and with each, so too was the security risk to companies behind those apps.
Few saw the warning signs surrounding Web application security as early as Caleb Sima, who started working in IT security in 1996 – at the age of 16 – during a time when barely a handful of visionaries had even considered securing Web applications as the burgeoning new security discipline it would become.
No one says leadership is easy. In early 2000, SPI Dynamics founders learned just how painful being first can be.
Running penetration tests for the leading network security company where they worked, SPI Dynamic co-founder Caleb Sima noticed an odd thing. The quickest way to breach any company’s network was not by hacking through firewalls but by coming in its web applications, disguised as legitimate traffic. It was a gap few had considered – organizations then were focused exclusively on perimeter security. What Caleb saw was that however thick a network’s walls, its web apps were like open windows. The reality was that traditional Internet security products, such as firewalls and intrusion detection systems (IDS), were not providing enough protection; these methods did not ensure the security of the entire Web presence by checking Web application content (HTML pages, scripts, proprietary applications, cookies, and other Web servers and services).
A business vision was born.
Great idea, people said. Good luck with funding. The internet bubble had burst only months earlier. Any business plan with the word “web” or “internet” in its pitch, investors welcomed like leprosy. The founders – convinced, determined, possibly nuts – pushed on. They took odd jobs, risked their credit ratings, sold their cars. Any dollar not earmarked for food or shelter went into the business. It was a matter of urgency: the number of applications going online was skyrocketing, and with each, so too was the security risk to companies behind those apps.
Name: Caleb Sima Title: Chief Technology Officer (CTO) Likes to be called: Caleb Company: SPI Dynamics, Inc.
Caleb Sima – Well known Web Security Expert Today, Sima is widely known within the Internet security community for his expertise in penetration testing and his ability to identify emerging security threats. He began his security career at S1 Corporation and then went on to Internet Security Systems as a member of its prestigious X-Force research team. There, he focused on the research and development of security advisories. Some of Sima’s engineered exploits gained media attention in publications such as the New York Times and the Washington Post. His work also has also been featured by US News and World Report, Security World magazine and the Associated Press. It was during his activities as a professional penetration tester that Caleb Sima recognized that most organizations were susceptible to attack through their Web applications. That’s when he envisioned a new technology that could enable organizations – even those that lacked application security expertise – to diligently assess application security risks and effectively remedy the problems. Soon thereafter, Sima began to work on developing the product WebInspect, which would become the foundation for the company he would co-found in 2000: SPI Dynamics Incorporated. To this day, SPI Dynamics’ intellectual property is based on the application security vision with which Sima founded the company. And he continues to lead the SPI Lab’s Research and Development team to hone and perfect the company’s Web application security technologies. SPI Dynamics is Born - 2000 Caleb Sima founded SPI Dynamics during a time when Internet-focused companies began to fail at an alarming pace. And with only $8.5 million in venture capital, many industry watchers considered the company woefully undercapitalized. Its closest competitor, for example, had raised $54 million in funding. Despite this enormous challenge, in roughly two years, SPI Dynamics moved from a distant third place to the Web application security industry’s leadership position. SPI Dynamic’s software was the first to show where and how Web application security risks could manifest. An early client, a technician for a large bank, was astonished when SPI’s engineers showed him how hackers might retrieve customer account data via the bank’s new client service portal – so astonished, in fact, that he quit his job to join the SPI Dynamic team. Word began to spread. Here was a company that not only understood the new threat possibilities, but that had built software sophisticated enough to conquer them. Investors followed, along with a platinum executive team impressed by the founders’ vision and passion. Of course, being first is just a first step. To keep setting the pace, a company must prove its early innovation was no fluke. That’s why today SPI Dynamic is the only company to offer security solutions for each phase in the application development lifecycle. Yes, our WebInspect product is astonishingly good at detecting security gaps in live applications and our suite of lifecycle products, built on WebInspect technology, find security vulnerabilities throughout the lifecycle and across the enterprise. WebInspect Software Available - 2000 SPI Dynamics customers, industry analysts and Web security experts believe WebInspect is the most accurate and comprehensive automated Web application and Web services vulnerability assessment solution available. With WebInspect, security professionals and compliance auditors can quickly and easily analyze the numerous Web applications and Web services in their environment. The Key Benefits of WebInspect Dramatically reduces organizational risk with a combination of the most extensive database of checks and intelligent engines that interrogate applications using a logic based approach to find the most vulnerabilities with the fewest false positives Significantly reduces penetration testing time and associated costs through process consolidation and automation Improves security awareness with specific, pre-configured reports for management, development, and quality assurance teams Reports support compliance for all major regulations Saves security professionals time by automatically maintaining pace with ever-changing vulnerabilities and hacker techniques Supports new and highly complicated development tools such as JavaScript, Macromedia Flash, and AJAX It’s a tremendous responsibility and a difficult challenge for security professionals who seek to spot security weaknesses and quickly facilitate their resolution in an environment of constant change. Hacker techniques evolve quickly, and the complexity of networks, applications, programming, and development languages is always increasing. Despite this complexity, organizations must be able to demonstrate the state of their Web security and regulatory compliance. The following describes WebInspect's sophisticated scanning capabilities. Continuous Security Awareness - WebInspect's sophisticated scanning capabilities automatically keep up with changing applications and complex security problems so that security professionals don't have to. Our security experts at SPI Labs add new vulnerability checks to the software daily. And, organizations can have these updates at any time. WebInspect's scheduler offers the flexibility to scan applications when it makes the most sense for your organizations business and network. Support for Regulatory Compliance - WebInspect includes detailed reports that show how web applications should change to meet most regulatory standards. In addition, users can create new policies or customize an existing one with the Policy and Compliance editor. Policies are currently included for these regulations: Sarbanes-Oxley California SB 1386 Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) ISO 17799 VISA PCI Data Compliance OWASP Top 10 Comprehensive and Accurate - WebInspect is unique in that it combines all of the industry's known Web application vulnerabilities with SPI Dynamics' sophisticated intelligent engine technology that intelligently crawls your application and manipulates parameters to find specific and precise vulnerabilities. Before each assessment, you can be sure you have all the latest known vulnerabilities and attack methods from SPI Labs through SmartUpdate™. Easy-to-Use - WebInspect is easy to configure and use. It requires no server side installations and can be used remotely for Web application assessments. With WebInspect's wizard interface, users can easily run a fully automated Web application assessment and manually interact with it throughout the assessment process. Extensible - WebInspect includes API's that enable users to extend the product's capabilities to meet organization's specific needs. Sophisticated Reporting - WebInspect includes pre-configured, detailed reports that demonstrate the state of an organization’s security. WebInspect also allows users to edit any aspect of the report and add custom notes or details as needed. One of the most powerful new features of WebInspect, developed under Caleb Sima’s leadership, is its revolutionary intelligent engine technology that interrogates applications and manipulates parameters to find specific and precise vulnerabilities. Traditional assessment technologies use static or hard coded checks which are slow and lack flexibility. By using a logic-based approach WebInspect is not only able to find more true positives and significantly fewer false than other assessment products, it is able to find them at mind boggling speeds. What once took three hours now takes 12 minutes. But we haven’t stopped there. QAInspect Software Available – December 2003 As more security professionals began scanning more Web applications more frequently, one thing became perfectly clear. Most of the security vulnerabilities actually existed – and still exist in the source code. Sima realized that there was a fundamental flaw in the overall approach to properly securing Web applications. Aside from the glaringly obvious lack of tools to address the issue of insecure software, there was the historical attitude that security was to remain the responsibility of a single department, traditionally an audit or security group. Sima identified the need for a critical paradigm shift – a fundamental change of mindset in how applications were developed. He wanted to break application security out of its backroom shackles and transform security into a continuous objective that everyone throughout the entire application development lifecycle had as part their roles and responsibilities. Security would become a team effort: start secure and stay secure, from development to quality assurance to production and audit. This meant creating and bringing to market the adequate tools that were easy to understand and could be integrated seamlessly across the development lifecycle. Those who know development, know that when you’re working to bring an application live, your deadlines are rarely generous. So it doesn’t exactly help when your audit software sends you chasing after ghosts and red herrings. In this way, the comprehensive SPI Dynamic suite heads-off the costly, often devastating, effect of a security risk that remains undiscovered until production. Our solutions help organizations abide by that first, best rule of software quality: the earlier a problem is discovered, the easier and cheaper it is to fix. In response to this security revelation, we joined the Mercury Interactive Business Technology Optimization Alliance Program and announced that WebInspect for Quality Assurance (Now known as QAInspect) for Mercury TestDirector, a global test management product in the Mercury Quality Center. QAInspect leveraged the sophisticated scanning technology of WebInspect to create a product that performs assessments in the QA environment right from Mercury users familiar platform. In December of 2004, Mercury named SPI Dynamics as their technology partner of the year. The Key Benefits of QAInspect Dramatically reduce organizational risk with the most accurate and precise approach to Web application testing for QA testers on the market. Eliminate the time and expense associated with fixing security defects in applications that are already in production by catching them during QA and fixing them quickly and easily. Improve communication and security awareness between QA and security departments. Educate QA teams about security with minimal investment. Improve communication and security awareness between QA and security departments. Educate QA professionals about security with minimal investment. The following describes QAInspect's sophisticated application security testing capabilities. Secure, high-quality software: By incorporating security testing into the overall test management process, you can manage functional, and security testing from a single platform. This allows you to deliver quality applications on schedule at the lowest possible cost. Ease of use: Only QAInspect completely integrates with Mercury's functional testing products to enable QA professionals to easily conduct and manage security testing in tandem with functional and performance testing. Integrated defect reporting: Security defects are reported alongside functional defects in Mercury Quality Center and TestDirector Defect Management modules, allowing you to detect and eliminate security bugs during the development and QA phases of the application development lifecycle. Concise prioritized vulnerabilities: All QAInspect products quickly find vulnerabilities and automatically prioritize them based on business risk. Security expert knowledgebase: SPI Dynamics is recognized as the leading web application security company. Our security experts at SPI Labs find and capture all known security vulnerabilities and build that expertise directly into SecureBase, the leading knowledgebase of security vulnerabilities and best practices for fixing them. Comprehensive vulnerability reporting: All versions have comprehensive reports that provide detailed descriptions of security defects including: the potential business impact if the security defect is exploited, its possible severity, remediation information necessary to resolve the defect, and references for additional research. Supports regulatory compliance efforts: Both products can be used to track and report progress on security compliance for Assessment Management Platform (AMP) Software Available – February 2004 What we found from working closely with our customers, was that they needed to scale their assessment capabilities across multiple security professionals. They needed to be able to definen a standard set of security checks for all security professionals to use. They needed to centralize their assessment data for sophisticated reporting and trend analysis. Most importantly, they needed to be able to control who scanned which applications and when they could scan them. We developed our Assessment Management Platform (AMP) to address all of these problems. To this date, we have yet to see a product that accomplishes the same capabilities that AMP does. AMP provides scalable, automated, proactive, distributed, and continuous application security assessments and remedies to its customers. AMP enables organizations to conduct an unlimited number of application security assessments while consolidating all security data into a real-time, high-level, information-packed dashboard that displays an enterprise’s current level of risk and policy compliance exposures. AMP consolidates and summarizes all of the application security scanning efforts across the organization so that application security is continuously understood by all. The power and flexibility of AMP can be fully distributed to enable organizations to perform remote Web application security scanning from multiple geographic locations to find and fix Web services security defects and vulnerabilities that jeopardize both custom built and third-party Web applications. AMP’s sophisticated assessment management capabilities provide enterprises a way to prioritize vulnerabilities, easily manage the remediation process, and verify the resolution. The Key Benefits of AMP Enables developers, quality assurance and security professionals to remove security vulnerabilities early in the software lifecycle thus reducing the risk of security breaches Enables developers, quality assurance teams and security professionals to focus on remediation of vulnerabilities instead of how and when to perform their scans Saves security professionals' time by automatically maintaining security awareness across the enterprise. Simplifies and automates security assurance by consolidating enterprise security data into usable management and audit reports Enables you to scale the assessment management process without compromising mission critical runtime applications through granularly controlled user access and information sharing Improves information sharing across distributed teams through enterprise wide reporting and centralized security management Extends security team with AMP sensors that manage application assessments without hands-on user interaction Security professionals are constantly balancing limited resources against ever-increasing assessment needs. As more people across the organization assess more applications, the process becomes exponentially more complicated. An automated solution that enables users to manage the assessment process and gather the results in a central location is critical. Furthermore, security professionals must be able to control both access and timing of assessments. The following describes AMP’s sophisticated management capabilities. Maintain continuous security awareness - AMP's sophisticated management capabilities automatically keep up with an organization’s numerous Web applications and security activities so that security professionals don't have to. AMP aggregates Web application security data from the entire organization to give the current state of security whenever its needed. AMP's scheduling capabilities offer the flexibility to scan applications when it makes the most sense for the business and network. Complete more assessments without more resources - AMP's distributed scan architecture allows for simultaneous scanning of multiple applications so that security teams can scan more applications without more resources. It does this by enabling users to manage user controlled scan clients such as SPI Dynamics' WebInspect and QAInspect or control remote scan sensors to perform fully automated assessments. Advanced users can continue to use SPI Dynamics' desktop application scanners for complex custom applications while still gaining the benefits of centralized assessment management through AMP. Additionally, users can configure AMP to discover sites and scan them for vulnerabilities. Centrally manage distributed teams - AMP's sophisticated management capabilities give powerful granular control over user access, scan rights, reports and assessment schedules so that users can determine which sites are scanned, when they can be scanned, and who can scan them. AMP extends the security team by enabling security professionals to activate and schedule managed application assessments. Security professionals can track all application security activity across the enterprise through AMP's advanced security and audit logging. Engineers performing security assessments in the field can disconnect from AMP and then synchronize their results when they reconnect. Detailed reporting - AMP centralizes all assessment results in one database giving security professionals a snapshot view of the organization's state of security. Additionally, AMP helps you track application security trends across all applications over time. This centralized data eliminates the need for collecting assessment results from security professionals and manually creating reports. AMP’s executive dashboard includes the critical metrics you need to monitor application security across development, quality assurance and production. The dashboard highlights critical issues based on a weighted vulnerability scoring system. The dashboard’s drill-down capability allows you to find the specific details of which web sites are the most vulnerable. All report data can be exported in an XML format so they can be imported into other applications as needed. Find security vulnerabilities throughout the application lifecycle - All of SPI Dynamics' products are designed to help organizations save time and money by catching security defects as early in the application development lifecycle as possible. AMP is the platform that brings all of these products together: DevInspect™ for developers, QAInspect™ for Quality assurance professionals and WebInspect™ for security professionals. These products help find security defects early and continuously monitor security throughout the life of the application. Integrates with your environment - It is easy to customize AMP for your environment. AMP's Web services API provides many ways to integrate with existing systems. AMP sensors connect with the AMP Manager using a fault tolerant network transport to ensure scan data is never lost on even the most distributed networks. DevInspect Software Available – June 2004 The logical evolution of the story led us to develop an offering for developers that enables them to find security defects during development and unit test before QA teams even see the applications. Initially, the product was announced as WebInspect for Developers with Secure Objects™ technology. The product is now called DevInspect™. DevInspect accelerates the construction and delivery of secure Web applications and Web services by finding and fixing security vulnerabilities during the development process and then protecting applications after deployment. DevInspect applies the most innovative vulnerability analysis and remediation techniques available to pinpoint and correct security defects before they are released into production where they can expose assets to serious threats. DevInspect is the first and only fully integrated solution that empowers developers without security expertise to proactively “find and fix” security defects within code at the beginning stages of development, while requiring “zero change” in their existing development process to avoid any delay in the time to market. DevInspect is a natural extension to development processes, helping software development organizations eliminate common security defects that allow attackers easy access to proprietary and confidential company information. By providing DevInspect, SPI Dynamics offered an easily digestible approach that instantly addressed the core issue of insecure software – improperly written code. DevInspect™ simplifies security for developers by automatically finding and fixing application security defects and enabling developers to build secure Web applications and Web services quickly and easily, without impacting schedules or requiring security expertise. Ultimately, through a partnership with Microsoft, DevInspect became a product that is deeply integrated into Microsoft Visual Studio .NET. The Key Benefits of DevInspect Dramatically reduce organizational risk with the most accurate and precise approach to Web application testing for developers on the market. Eliminate the time and expense associated with fixing security defects in applications that are already in production by catching them during development and fixing them quickly and easily. Improve communication and security awareness between development and security departments. Educate developers about security with minimal investment. Improve communication and security awareness between development and security departments. Educate developers about security with minimal investment. Now developers and testers have powerful tools to find – and seal – security holes during the build cycle. (And we mean the discovery of true vulnerabilities here, not the false positives). The following describes DevInspect sophisticated application security testing capabilities. Find vulnerabilities with unmatched accuracy and precision - DevInspect provides unmatched accuracy and precision by identifying only real security vulnerabilities in the application, rather than pointing out potential problems based on source code and conjecture. DevInspect quickly finds vulnerabilities and shows precisely where they exist so that remediation is quick and easy. All identified vulnerabilities are automatically prioritized based on a combination of impact and probability to assess risk to your business. DevInspect's SmartUpdate feature automatically updates the product with the latest vulnerability checks from SPI Labs. Automatically fix vulnerabilities with SecureObjectsTM - DevInspect is the only security product available that automatically fixes security defects. DevInspect's SecureObjects security vulnerability remediation technology enables a developer to write secure code from the beginning and harden their applications against attack. SecureObjects automatically fixes security defects by pinpointing the vulnerable code and applying secure code to reduce the application's attack surface. Developers maintain total control of the fixes through the option to automatically correct their code using the secure coding library or by using the advice and examples to correct it themselves. SecureObjects also locks down Web application configuration settings to prevent attacks after deployment. Protect deployed applications - SecureObjects continues protecting an application after deployment by detecting and preventing attacks. SecureObjects prevents malicious input from penetrating an application and recognizes attack patterns to actively detect and prevent successful hack attempts. Security event logging captures attempted attacks so that security and operations professionals can take action to protect assets. By applying SecureObjects, developers can prevent high risk Web application attacks in production, including SQL Injection, Cross Site Scripting (XSS), Buffer Overflows and Directory Transversal attacks. Educate developers by sharing knowledge and data - DevInspect offers pre-packaged Web application security expertise. Developers improve their security expertise while securing their applications with DevInspect through SecureBase, the leading knowledgebase of security vulnerabilities and best practices for fixing them. SPI Dynamics is the recognized leader in Web application security and our security experts at SPI Labs find and capture all known security vulnerabilities. DevInspect is the only developer security product that includes daily vulnerability check and description updates. Visual Studio Integration - DevInspect features the deepest and most intuitive Visual Studio integration available in the security industry. DevInspect is designed to fit naturally with the way a developer works everyday so that secure development becomes as familiar as coding and unit testing. Developers can secure their application and improve their security expertise during any phase of development without ever leaving the Visual Studio IDE. Secure Software Forum – February 2005 As part of its continuing efforts to increase Web application security awareness and education, SPI Dynamics launched the Secure Software Forum in San Francisco in February 2005 with a blue ribbon panel discussion and a keynote presentation by Oracle CSO Mary Ann Davidson. The presentation helped to bring widespread awareness of the need for security throughout the application development life cycle. The SSF was created by SPI Dynamics as a vendor agnostic educational initiative to bring awareness to all entities within the development life cycle. Cosponsors of the initiative included Microsoft, Mercury, ISSA, and others. Throughout the calendar year, Microsoft and SPI Dynamics continued to collaborate on this initiative through long-term educational programs focused on secure software development. These initiatives included a series of free international workshops detailing underlying vulnerabilities, or defects, in application code that allow hackers to gain access to corporate information, as well as demonstrations of live Web hacks, such as SQL Injection and Cross-Site Scripting, that take advantage of these vulnerabilities alarmingly present in most applications. In addition, the Secure Software Forum 2005 initiatives included executive-level roundtable dinners and Webcasts hosted by SPI Dynamics and Microsoft that encouraged information sharing on implementing secure coding best practices and processes within an organization. Even now, Web application security remains a relatively new – and largely misunderstood – segment within the broader Internet security market. That’s why education is such an important aspect of what Sima has contributed to the industry during the past five years through his primary Web application research, writing, and speaking at major conferences. With more than a year of this program underway, there’s a clear understanding that building quality software depends upon optimizing three fundamental pillars: People, Process and Technology. Additionally, an executive-level commitment to building security into underlying methodologies is needed through the creation of internal Application Security Assurance Programs (ASAP) – a concept SPI Dynamics introduced during the 2005 Secure Software Forum initiative. Unprecedented Growth and Prestigious Accolades – 2005 From a corporate growth perspective, during 2005, SPI Dynamics continued its rapid acceleration to maintain its status as the undisputed expert in Web application security. Through the year, the company added more than 250 new customers while growing revenues more than 70 percent and increasing profitability. Customer retention and maintenance renewal rates exceed 97 percent. SPI Dynamics has more than twice as many customers as any of its competitors, and the addition of its DevInspect™ and QAInspect™ products (extensive product integrations with Microsoft and Mercury Interactive) has led to further acceleration in product deliveries to software developers and quality assurance professionals. In September, SPI Dynamics’ WebInspect software was named the “Tester’s Choice” by Secure Enterprise in a comparative review of leading application security products, where it was noted that “WebInspect strikes a perfect balance between ease-of-use and powerful protection.” QAInspect for IBM Rational Software Development Platform (SDP) Available – June 2006 Throughout 2006, we have been working closely with IBM to integrate QAInspect Enterprise security testing products with IBM’s Rational Software Development Platform. Now QAInspect integrates with both Mercury and IBM functional testing products which when combined make up the significant majority of the testing market. This integration allows Quality Assurance (QA) professionals to analyze Web applications for security defects from within the IBM Rational Software Development Platform, and enables them to use this single platform to plan, execute and manage automated Web application security testing. The collaboration between SPI Dynamics and IBM expands the Rational Quality Assurance Solution through joint marketing and sales enablement programs. As recently noted by Gartner analysts Amrit Williams and Neil MacDonald in a research report titled, “Integrate Security Best Practices and Tools Into Software Development Life Cycle (10 Feb. 2006), “Organizations need to integrate security best practices, security testing tools and security- focused processes into their software development life cycle. Proper execution improves application security, reduces overall costs, increases customer satisfaction and yields a more-efficient SDLC.” Organizations using the IBM Rational Software Development platform can now meet quality and security standards for Web applications throughout the Software Development Lifecycle. SPI Dynamics 2006 and Beyond Today, SPI Dynamics’ customers include many of the world’s largest public companies and government organizations. The company currently has more than 700 customers, including Microsoft, Regions Bank, Bank of America, Oracle, Pentair, General Motors, EarthLink, University of Missouri, PwC and MD Anderson, with a high percentage in the financial, telecommunications, health care, manufacturing and government verticals. The demand for Web application security solutions and the reach of SPI Dynamics’ solutions span are deployed within all vertical markets. SPI Dynamics’ business is fundamentally different than previous generations of security solutions, because application security is truly a life cycle requirement. Therefore, products must be produced and delivered to a number of constituencies throughout the global enterprise, including software developers, quality assurance professionals, security professionals, and auditors. With the exception of security professionals, all of these represent substantial new markets. SPI Dynamics, largely due to the leadership and vision provided by Caleb Sima, will continue to strive to provide the tools organizations need to develop the most secure Web applications possible – by focusing on helping them to develop the most error-free and quality source code possible. A critical part of this effort will be to continue the industry education and thought leadership sparked by Sima more than six years ago, and continue to evangelize the global mandate to improve software security and the overwhelming need for an executive-level commitment to building security into underlying methodologies. Hackers are a creative bunch, so we have to move pretty quick to beat them at their own game. Is it tiring to stay as far ahead in the market as we are? Not really. Frankly, we’re having too much fun to go at any other pace. We have superb group of folks who know application security inside and out. That, plus an excellent management team and a knack (knock wood) for keeping a snug fit between our vision and execution, makes this a pretty impressive place to work. Good people beget good software. Not that you should take our word for it. The Atlanta Business Chronicle named SPI Dynamics to its list of “A+ Employers,” and our products have been honored at Microsoft’s Windows Products of the Year awards. There’s another reason we’re focused on staying ahead: we think the future is too interesting not to get there in a hurry. As technologies evolve, hackers get more and more sophisticated. So do we. For example: what if there were security software that could not only anticipate threats against an application but respond to them, real-time, like an immune system producing antibodies to fight off bacteria? At SPI Dynamics, the future is closer than you think…
Caleb Sima – Well known Web Security Expert
Today, Sima is widely known within the Internet security community for his expertise in penetration testing and his ability to identify emerging security threats. He began his security career at S1 Corporation and then went on to Internet Security Systems as a member of its prestigious X-Force research team. There, he focused on the research and development of security advisories. Some of Sima’s engineered exploits gained media attention in publications such as the New York Times and the Washington Post. His work also has also been featured by US News and World Report, Security World magazine and the Associated Press. It was during his activities as a professional penetration tester that Caleb Sima recognized that most organizations were susceptible to attack through their Web applications. That’s when he envisioned a new technology that could enable organizations – even those that lacked application security expertise – to diligently assess application security risks and effectively remedy the problems. Soon thereafter, Sima began to work on developing the product WebInspect, which would become the foundation for the company he would co-found in 2000: SPI Dynamics Incorporated. To this day, SPI Dynamics’ intellectual property is based on the application security vision with which Sima founded the company. And he continues to lead the SPI Lab’s Research and Development team to hone and perfect the company’s Web application security technologies.
SPI Dynamics is Born - 2000
Caleb Sima founded SPI Dynamics during a time when Internet-focused companies began to fail at an alarming pace. And with only $8.5 million in venture capital, many industry watchers considered the company woefully undercapitalized. Its closest competitor, for example, had raised $54 million in funding. Despite this enormous challenge, in roughly two years, SPI Dynamics moved from a distant third place to the Web application security industry’s leadership position.
SPI Dynamic’s software was the first to show where and how Web application security risks could manifest. An early client, a technician for a large bank, was astonished when SPI’s engineers showed him how hackers might retrieve customer account data via the bank’s new client service portal – so astonished, in fact, that he quit his job to join the SPI Dynamic team. Word began to spread. Here was a company that not only understood the new threat possibilities, but that had built software sophisticated enough to conquer them. Investors followed, along with a platinum executive team impressed by the founders’ vision and passion.
Of course, being first is just a first step. To keep setting the pace, a company must prove its early innovation was no fluke. That’s why today SPI Dynamic is the only company to offer security solutions for each phase in the application development lifecycle. Yes, our WebInspect product is astonishingly good at detecting security gaps in live applications and our suite of lifecycle products, built on WebInspect technology, find security vulnerabilities throughout the lifecycle and across the enterprise.
WebInspect Software Available - 2000
SPI Dynamics customers, industry analysts and Web security experts believe WebInspect is the most accurate and comprehensive automated Web application and Web services vulnerability assessment solution available. With WebInspect, security professionals and compliance auditors can quickly and easily analyze the numerous Web applications and Web services in their environment.
The Key Benefits of WebInspect
Dramatically reduces organizational risk with a combination of the most extensive database of checks and intelligent engines that interrogate applications using a logic based approach to find the most vulnerabilities with the fewest false positives
Significantly reduces penetration testing time and associated costs through process consolidation and automation
Improves security awareness with specific, pre-configured reports for management, development, and quality assurance teams
Reports support compliance for all major regulations
Saves security professionals time by automatically maintaining pace with ever-changing vulnerabilities and hacker techniques
Supports new and highly complicated development tools such as JavaScript, Macromedia Flash, and AJAX
It’s a tremendous responsibility and a difficult challenge for security professionals who seek to spot security weaknesses and quickly facilitate their resolution in an environment of constant change. Hacker techniques evolve quickly, and the complexity of networks, applications, programming, and development languages is always increasing. Despite this complexity, organizations must be able to demonstrate the state of their Web security and regulatory compliance. The following describes WebInspect's sophisticated scanning capabilities.
Continuous Security Awareness - WebInspect's sophisticated scanning capabilities automatically keep up with changing applications and complex security problems so that security professionals don't have to. Our security experts at SPI Labs add new vulnerability checks to the software daily. And, organizations can have these updates at any time. WebInspect's scheduler offers the flexibility to scan applications when it makes the most sense for your organizations business and network.
Support for Regulatory Compliance - WebInspect includes detailed reports that show how web applications should change to meet most regulatory standards. In addition, users can create new policies or customize an existing one with the Policy and Compliance editor. Policies are currently included for these regulations:
Sarbanes-Oxley
California SB 1386
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
ISO 17799
VISA PCI Data Compliance
OWASP Top 10
Comprehensive and Accurate - WebInspect is unique in that it combines all of the industry's known Web application vulnerabilities with SPI Dynamics' sophisticated intelligent engine technology that intelligently crawls your application and manipulates parameters to find specific and precise vulnerabilities. Before each assessment, you can be sure you have all the latest known vulnerabilities and attack methods from SPI Labs through SmartUpdate™.
Easy-to-Use - WebInspect is easy to configure and use. It requires no server side installations and can be used remotely for Web application assessments. With WebInspect's wizard interface, users can easily run a fully automated Web application assessment and manually interact with it throughout the assessment process.
Extensible - WebInspect includes API's that enable users to extend the product's capabilities to meet organization's specific needs.
Sophisticated Reporting - WebInspect includes pre-configured, detailed reports that demonstrate the state of an organization’s security. WebInspect also allows users to edit any aspect of the report and add custom notes or details as needed.
One of the most powerful new features of WebInspect, developed under Caleb Sima’s leadership, is its revolutionary intelligent engine technology that interrogates applications and manipulates parameters to find specific and precise vulnerabilities. Traditional assessment technologies use static or hard coded checks which are slow and lack flexibility. By using a logic-based approach WebInspect is not only able to find more true positives and significantly fewer false than other assessment products, it is able to find them at mind boggling speeds. What once took three hours now takes 12 minutes.
But we haven’t stopped there.
QAInspect Software Available – December 2003 As more security professionals began scanning more Web applications more frequently, one thing became perfectly clear. Most of the security vulnerabilities actually existed – and still exist in the source code.
Sima realized that there was a fundamental flaw in the overall approach to properly securing Web applications. Aside from the glaringly obvious lack of tools to address the issue of insecure software, there was the historical attitude that security was to remain the responsibility of a single department, traditionally an audit or security group. Sima identified the need for a critical paradigm shift – a fundamental change of mindset in how applications were developed. He wanted to break application security out of its backroom shackles and transform security into a continuous objective that everyone throughout the entire application development lifecycle had as part their roles and responsibilities. Security would become a team effort: start secure and stay secure, from development to quality assurance to production and audit. This meant creating and bringing to market the adequate tools that were easy to understand and could be integrated seamlessly across the development lifecycle.
Those who know development, know that when you’re working to bring an application live, your deadlines are rarely generous. So it doesn’t exactly help when your audit software sends you chasing after ghosts and red herrings. In this way, the comprehensive SPI Dynamic suite heads-off the costly, often devastating, effect of a security risk that remains undiscovered until production. Our solutions help organizations abide by that first, best rule of software quality: the earlier a problem is discovered, the easier and cheaper it is to fix.
In response to this security revelation, we joined the Mercury Interactive Business Technology Optimization Alliance Program and announced that WebInspect for Quality Assurance (Now known as QAInspect) for Mercury TestDirector, a global test management product in the Mercury Quality Center.
QAInspect leveraged the sophisticated scanning technology of WebInspect to create a product that performs assessments in the QA environment right from Mercury users familiar platform.
In December of 2004, Mercury named SPI Dynamics as their technology partner of the year.
The Key Benefits of QAInspect
Dramatically reduce organizational risk with the most accurate and precise approach to Web application testing for QA testers on the market.
Eliminate the time and expense associated with fixing security defects in applications that are already in production by catching them during QA and fixing them quickly and easily.
Improve communication and security awareness between QA and security departments.
Educate QA teams about security with minimal investment.
Educate QA professionals about security with minimal investment.
The following describes QAInspect's sophisticated application security testing capabilities.
Secure, high-quality software: By incorporating security testing into the overall test management process, you can manage functional, and security testing from a single platform. This allows you to deliver quality applications on schedule at the lowest possible cost.
Ease of use: Only QAInspect completely integrates with Mercury's functional testing products to enable QA professionals to easily conduct and manage security testing in tandem with functional and performance testing. Integrated defect reporting: Security defects are reported alongside functional defects in Mercury Quality Center and TestDirector Defect Management modules, allowing you to detect and eliminate security bugs during the development and QA phases of the application development lifecycle.
Concise prioritized vulnerabilities: All QAInspect products quickly find vulnerabilities and automatically prioritize them based on business risk.
Security expert knowledgebase: SPI Dynamics is recognized as the leading web application security company. Our security experts at SPI Labs find and capture all known security vulnerabilities and build that expertise directly into SecureBase, the leading knowledgebase of security vulnerabilities and best practices for fixing them.
Comprehensive vulnerability reporting: All versions have comprehensive reports that provide detailed descriptions of security defects including: the potential business impact if the security defect is exploited, its possible severity, remediation information necessary to resolve the defect, and references for additional research.
Supports regulatory compliance efforts: Both products can be used to track and report progress on security compliance for
Assessment Management Platform (AMP) Software Available – February 2004
What we found from working closely with our customers, was that they needed to scale their assessment capabilities across multiple security professionals. They needed to be able to definen a standard set of security checks for all security professionals to use. They needed to centralize their assessment data for sophisticated reporting and trend analysis. Most importantly, they needed to be able to control who scanned which applications and when they could scan them. We developed our Assessment Management Platform (AMP) to address all of these problems. To this date, we have yet to see a product that accomplishes the same capabilities that AMP does.
AMP provides scalable, automated, proactive, distributed, and continuous application security assessments and remedies to its customers. AMP enables organizations to conduct an unlimited number of application security assessments while consolidating all security data into a real-time, high-level, information-packed dashboard that displays an enterprise’s current level of risk and policy compliance exposures. AMP consolidates and summarizes all of the application security scanning efforts across the organization so that application security is continuously understood by all. The power and flexibility of AMP can be fully distributed to enable organizations to perform remote Web application security scanning from multiple geographic locations to find and fix Web services security defects and vulnerabilities that jeopardize both custom built and third-party Web applications.
AMP’s sophisticated assessment management capabilities provide enterprises a way to prioritize vulnerabilities, easily manage the remediation process, and verify the resolution.
The Key Benefits of AMP
Enables developers, quality assurance and security professionals to remove security vulnerabilities early in the software lifecycle thus reducing the risk of security breaches
Enables developers, quality assurance teams and security professionals to focus on remediation of vulnerabilities instead of how and when to perform their scans
Saves security professionals' time by automatically maintaining security awareness across the enterprise.
Simplifies and automates security assurance by consolidating enterprise security data into usable management and audit reports
Enables you to scale the assessment management process without compromising mission critical runtime applications through granularly controlled user access and information sharing
Improves information sharing across distributed teams through enterprise wide reporting and centralized security management
Extends security team with AMP sensors that manage application assessments without hands-on user interaction
Security professionals are constantly balancing limited resources against ever-increasing assessment needs. As more people across the organization assess more applications, the process becomes exponentially more complicated. An automated solution that enables users to manage the assessment process and gather the results in a central location is critical. Furthermore, security professionals must be able to control both access and timing of assessments. The following describes AMP’s sophisticated management capabilities.
Maintain continuous security awareness - AMP's sophisticated management capabilities automatically keep up with an organization’s numerous Web applications and security activities so that security professionals don't have to. AMP aggregates Web application security data from the entire organization to give the current state of security whenever its needed. AMP's scheduling capabilities offer the flexibility to scan applications when it makes the most sense for the business and network.
Complete more assessments without more resources - AMP's distributed scan architecture allows for simultaneous scanning of multiple applications so that security teams can scan more applications without more resources. It does this by enabling users to manage user controlled scan clients such as SPI Dynamics' WebInspect and QAInspect or control remote scan sensors to perform fully automated assessments. Advanced users can continue to use SPI Dynamics' desktop application scanners for complex custom applications while still gaining the benefits of centralized assessment management through AMP. Additionally, users can configure AMP to discover sites and scan them for vulnerabilities.
Centrally manage distributed teams - AMP's sophisticated management capabilities give powerful granular control over user access, scan rights, reports and assessment schedules so that users can determine which sites are scanned, when they can be scanned, and who can scan them. AMP extends the security team by enabling security professionals to activate and schedule managed application assessments. Security professionals can track all application security activity across the enterprise through AMP's advanced security and audit logging. Engineers performing security assessments in the field can disconnect from AMP and then synchronize their results when they reconnect.
Detailed reporting - AMP centralizes all assessment results in one database giving security professionals a snapshot view of the organization's state of security. Additionally, AMP helps you track application security trends across all applications over time. This centralized data eliminates the need for collecting assessment results from security professionals and manually creating reports. AMP’s executive dashboard includes the critical metrics you need to monitor application security across development, quality assurance and production. The dashboard highlights critical issues based on a weighted vulnerability scoring system. The dashboard’s drill-down capability allows you to find the specific details of which web sites are the most vulnerable. All report data can be exported in an XML format so they can be imported into other applications as needed.
Find security vulnerabilities throughout the application lifecycle - All of SPI Dynamics' products are designed to help organizations save time and money by catching security defects as early in the application development lifecycle as possible. AMP is the platform that brings all of these products together: DevInspect™ for developers, QAInspect™ for Quality assurance professionals and WebInspect™ for security professionals. These products help find security defects early and continuously monitor security throughout the life of the application.
Integrates with your environment - It is easy to customize AMP for your environment. AMP's Web services API provides many ways to integrate with existing systems. AMP sensors connect with the AMP Manager using a fault tolerant network transport to ensure scan data is never lost on even the most distributed networks.
DevInspect Software Available – June 2004 The logical evolution of the story led us to develop an offering for developers that enables them to find security defects during development and unit test before QA teams even see the applications.
Initially, the product was announced as WebInspect for Developers with Secure Objects™ technology. The product is now called DevInspect™.
DevInspect accelerates the construction and delivery of secure Web applications and Web services by finding and fixing security vulnerabilities during the development process and then protecting applications after deployment. DevInspect applies the most innovative vulnerability analysis and remediation techniques available to pinpoint and correct security defects before they are released into production where they can expose assets to serious threats.
DevInspect is the first and only fully integrated solution that empowers developers without security expertise to proactively “find and fix” security defects within code at the beginning stages of development, while requiring “zero change” in their existing development process to avoid any delay in the time to market. DevInspect is a natural extension to development processes, helping software development organizations eliminate common security defects that allow attackers easy access to proprietary and confidential company information. By providing DevInspect, SPI Dynamics offered an easily digestible approach that instantly addressed the core issue of insecure software – improperly written code.
DevInspect™ simplifies security for developers by automatically finding and fixing application security defects and enabling developers to build secure Web applications and Web services quickly and easily, without impacting schedules or requiring security expertise.
Ultimately, through a partnership with Microsoft, DevInspect became a product that is deeply integrated into Microsoft Visual Studio .NET.
The Key Benefits of DevInspect
Dramatically reduce organizational risk with the most accurate and precise approach to Web application testing for developers on the market.
Eliminate the time and expense associated with fixing security defects in applications that are already in production by catching them during development and fixing them quickly and easily.
Improve communication and security awareness between development and security departments.
Educate developers about security with minimal investment. Improve communication and security awareness between development and security departments.
Educate developers about security with minimal investment.
Now developers and testers have powerful tools to find – and seal – security holes during the build cycle. (And we mean the discovery of true vulnerabilities here, not the false positives). The following describes DevInspect sophisticated application security testing capabilities.
Find vulnerabilities with unmatched accuracy and precision - DevInspect provides unmatched accuracy and precision by identifying only real security vulnerabilities in the application, rather than pointing out potential problems based on source code and conjecture. DevInspect quickly finds vulnerabilities and shows precisely where they exist so that remediation is quick and easy. All identified vulnerabilities are automatically prioritized based on a combination of impact and probability to assess risk to your business. DevInspect's SmartUpdate feature automatically updates the product with the latest vulnerability checks from SPI Labs.
Automatically fix vulnerabilities with SecureObjectsTM - DevInspect is the only security product available that automatically fixes security defects. DevInspect's SecureObjects security vulnerability remediation technology enables a developer to write secure code from the beginning and harden their applications against attack. SecureObjects automatically fixes security defects by pinpointing the vulnerable code and applying secure code to reduce the application's attack surface. Developers maintain total control of the fixes through the option to automatically correct their code using the secure coding library or by using the advice and examples to correct it themselves. SecureObjects also locks down Web application configuration settings to prevent attacks after deployment.
Protect deployed applications - SecureObjects continues protecting an application after deployment by detecting and preventing attacks. SecureObjects prevents malicious input from penetrating an application and recognizes attack patterns to actively detect and prevent successful hack attempts. Security event logging captures attempted attacks so that security and operations professionals can take action to protect assets. By applying SecureObjects, developers can prevent high risk Web application attacks in production, including SQL Injection, Cross Site Scripting (XSS), Buffer Overflows and Directory Transversal attacks.
Educate developers by sharing knowledge and data - DevInspect offers pre-packaged Web application security expertise. Developers improve their security expertise while securing their applications with DevInspect through SecureBase, the leading knowledgebase of security vulnerabilities and best practices for fixing them. SPI Dynamics is the recognized leader in Web application security and our security experts at SPI Labs find and capture all known security vulnerabilities. DevInspect is the only developer security product that includes daily vulnerability check and description updates.
Visual Studio Integration - DevInspect features the deepest and most intuitive Visual Studio integration available in the security industry. DevInspect is designed to fit naturally with the way a developer works everyday so that secure development becomes as familiar as coding and unit testing. Developers can secure their application and improve their security expertise during any phase of development without ever leaving the Visual Studio IDE.
Secure Software Forum – February 2005
As part of its continuing efforts to increase Web application security awareness and education, SPI Dynamics launched the Secure Software Forum in San Francisco in February 2005 with a blue ribbon panel discussion and a keynote presentation by Oracle CSO Mary Ann Davidson. The presentation helped to bring widespread awareness of the need for security throughout the application development life cycle. The SSF was created by SPI Dynamics as a vendor agnostic educational initiative to bring awareness to all entities within the development life cycle. Cosponsors of the initiative included Microsoft, Mercury, ISSA, and others. Throughout the calendar year, Microsoft and SPI Dynamics continued to collaborate on this initiative through long-term educational programs focused on secure software development. These initiatives included a series of free international workshops detailing underlying vulnerabilities, or defects, in application code that allow hackers to gain access to corporate information, as well as demonstrations of live Web hacks, such as SQL Injection and Cross-Site Scripting, that take advantage of these vulnerabilities alarmingly present in most applications. In addition, the Secure Software Forum 2005 initiatives included executive-level roundtable dinners and Webcasts hosted by SPI Dynamics and Microsoft that encouraged information sharing on implementing secure coding best practices and processes within an organization.
Even now, Web application security remains a relatively new – and largely misunderstood – segment within the broader Internet security market. That’s why education is such an important aspect of what Sima has contributed to the industry during the past five years through his primary Web application research, writing, and speaking at major conferences.
With more than a year of this program underway, there’s a clear understanding that building quality software depends upon optimizing three fundamental pillars: People, Process and Technology. Additionally, an executive-level commitment to building security into underlying methodologies is needed through the creation of internal Application Security Assurance Programs (ASAP) – a concept SPI Dynamics introduced during the 2005 Secure Software Forum initiative.
Unprecedented Growth and Prestigious Accolades – 2005
From a corporate growth perspective, during 2005, SPI Dynamics continued its rapid acceleration to maintain its status as the undisputed expert in Web application security. Through the year, the company added more than 250 new customers while growing revenues more than 70 percent and increasing profitability. Customer retention and maintenance renewal rates exceed 97 percent. SPI Dynamics has more than twice as many customers as any of its competitors, and the addition of its DevInspect™ and QAInspect™ products (extensive product integrations with Microsoft and Mercury Interactive) has led to further acceleration in product deliveries to software developers and quality assurance professionals. In September, SPI Dynamics’ WebInspect software was named the “Tester’s Choice” by Secure Enterprise in a comparative review of leading application security products, where it was noted that “WebInspect strikes a perfect balance between ease-of-use and powerful protection.”
QAInspect for IBM Rational Software Development Platform (SDP) Available – June 2006
Throughout 2006, we have been working closely with IBM to integrate QAInspect Enterprise security testing products with IBM’s Rational Software Development Platform. Now QAInspect integrates with both Mercury and IBM functional testing products which when combined make up the significant majority of the testing market. This integration allows Quality Assurance (QA) professionals to analyze Web applications for security defects from within the IBM Rational Software Development Platform, and enables them to use this single platform to plan, execute and manage automated Web application security testing. The collaboration between SPI Dynamics and IBM expands the Rational Quality Assurance Solution through joint marketing and sales enablement programs.
As recently noted by Gartner analysts Amrit Williams and Neil MacDonald in a research report titled, “Integrate Security Best Practices and Tools Into Software Development Life Cycle (10 Feb. 2006), “Organizations need to integrate security best practices, security testing tools and security- focused processes into their software development life cycle. Proper execution improves application security, reduces overall costs, increases customer satisfaction and yields a more-efficient SDLC.”
Organizations using the IBM Rational Software Development platform can now meet quality and security standards for Web applications throughout the Software Development Lifecycle.
SPI Dynamics 2006 and Beyond
Today, SPI Dynamics’ customers include many of the world’s largest public companies and government organizations. The company currently has more than 700 customers, including Microsoft, Regions Bank, Bank of America, Oracle, Pentair, General Motors, EarthLink, University of Missouri, PwC and MD Anderson, with a high percentage in the financial, telecommunications, health care, manufacturing and government verticals. The demand for Web application security solutions and the reach of SPI Dynamics’ solutions span are deployed within all vertical markets.
SPI Dynamics’ business is fundamentally different than previous generations of security solutions, because application security is truly a life cycle requirement. Therefore, products must be produced and delivered to a number of constituencies throughout the global enterprise, including software developers, quality assurance professionals, security professionals, and auditors. With the exception of security professionals, all of these represent substantial new markets.
SPI Dynamics, largely due to the leadership and vision provided by Caleb Sima, will continue to strive to provide the tools organizations need to develop the most secure Web applications possible – by focusing on helping them to develop the most error-free and quality source code possible. A critical part of this effort will be to continue the industry education and thought leadership sparked by Sima more than six years ago, and continue to evangelize the global mandate to improve software security and the overwhelming need for an executive-level commitment to building security into underlying methodologies.
Hackers are a creative bunch, so we have to move pretty quick to beat them at their own game. Is it tiring to stay as far ahead in the market as we are? Not really. Frankly, we’re having too much fun to go at any other pace. We have superb group of folks who know application security inside and out. That, plus an excellent management team and a knack (knock wood) for keeping a snug fit between our vision and execution, makes this a pretty impressive place to work. Good people beget good software. Not that you should take our word for it. The Atlanta Business Chronicle named SPI Dynamics to its list of “A+ Employers,” and our products have been honored at Microsoft’s Windows Products of the Year awards.
There’s another reason we’re focused on staying ahead: we think the future is too interesting not to get there in a hurry. As technologies evolve, hackers get more and more sophisticated. So do we. For example: what if there were security software that could not only anticipate threats against an application but respond to them, real-time, like an immune system producing antibodies to fight off bacteria? At SPI Dynamics, the future is closer than you think…
SPI Dynamics’ end users which include security professionals, compliance auditors, developers and quality assurance professionals have gained the ability to quickly scan their Web applications to pinpoint security vulnerabilities. These users use have expert advice packaged in sophisticated software that can be used to find and remediate vulnerabilities quickly and easily. SPI Dynamics’ products have essentially put Web application security expertise into the hands of thousands of people who don’t have time to keep up with the dynamic nature of Web application security. Our customers, industry analysts and the latest reports on Web applications security have helped us to see that the dynamic nature of Web application security requires multiple approaches for the most precise results. Today’s Web security solutions must deliver unprecedented accuracy and address a wide scope of coverage. Next generation scanning software is adaptive in nature and driven by an underlying sophisticated logic where the overall goal is not more checks, but more intelligent engines. Complete solutions take a hybrid approach that includes both source code analysis and black box testing for unmatched accuracy and precision. As mature organizations continue to scale their application security assessment practices across the enterprise and throughout the software development lifecycle, this collective approach to Web application security necessitates a combination of software and services to maximize results. This is the Next Generation of Web security. The Web Application Security Experts SPI Dynamics is widely known as the web application security experts. We are the only company that focuses exclusively on Web security, and have done so for over five years. SPI Labs, our research and development group is the largest single assembly of Web application security experts in the world. We build SPI Labs’ Web security expertise directly into our suite of products and services that support the entire Web application lifecycle. 2. Intelligent Engines Combined with Static Checks SPI Dynamics scanning architecture includes the most extensive database of checks and intelligent engines that interrogate applications using a logic-based approach to find the most vulnerabilities with the fewest false positives 3. Combination of Black Box Testing with Source Code Analysis Our suite of products is one of the first to announce a combination of source code analysis with black box testing for optimal scanning results. On June 5th ,2006 Gartner Analysts Neil MacDonald and Joseph Feiman announced the combination of this technology is critical to successfully finding application security defects and recommended that organizations incorporate such technology into their Web application security approach. 4. Software Throughout the Lifecycle and Across the Enterprise Organizations need to address Web application security in each phase of the software development life cycle but also to scale assessments across the enterprise. SPI Dynamics’ Assessment Management Platform (AMP) is the first and only available fully distributed and scalable Web application assessment platform for proactive enterprise-wide security risk management and regulatory compliance. It truly enables an organization to cross-reference and encourage cooperation among the activities of developers, QA, and security professionals in their efforts to find and fix Web application security issues. SPI Dynamics is committed to continue to provide its customers the latest Web application security research and best Web application security and assessment products to ensure that its customers can develop the most secure applications possible.
SPI Dynamics’ end users which include security professionals, compliance auditors, developers and quality assurance professionals have gained the ability to quickly scan their Web applications to pinpoint security vulnerabilities. These users use have expert advice packaged in sophisticated software that can be used to find and remediate vulnerabilities quickly and easily. SPI Dynamics’ products have essentially put Web application security expertise into the hands of thousands of people who don’t have time to keep up with the dynamic nature of Web application security.
Our customers, industry analysts and the latest reports on Web applications security have helped us to see that the dynamic nature of Web application security requires multiple approaches for the most precise results. Today’s Web security solutions must deliver unprecedented accuracy and address a wide scope of coverage. Next generation scanning software is adaptive in nature and driven by an underlying sophisticated logic where the overall goal is not more checks, but more intelligent engines. Complete solutions take a hybrid approach that includes both source code analysis and black box testing for unmatched accuracy and precision. As mature organizations continue to scale their application security assessment practices across the enterprise and throughout the software development lifecycle, this collective approach to Web application security necessitates a combination of software and services to maximize results. This is the Next Generation of Web security.
The Web Application Security Experts
SPI Dynamics is widely known as the web application security experts. We are the only company that focuses exclusively on Web security, and have done so for over five years. SPI Labs, our research and development group is the largest single assembly of Web application security experts in the world. We build SPI Labs’ Web security expertise directly into our suite of products and services that support the entire Web application lifecycle. 2. Intelligent Engines Combined with Static Checks
SPI Dynamics scanning architecture includes the most extensive database of checks and intelligent engines that interrogate applications using a logic-based approach to find the most vulnerabilities with the fewest false positives 3. Combination of Black Box Testing with Source Code Analysis
Our suite of products is one of the first to announce a combination of source code analysis with black box testing for optimal scanning results. On June 5th ,2006 Gartner Analysts Neil MacDonald and Joseph Feiman announced the combination of this technology is critical to successfully finding application security defects and recommended that organizations incorporate such technology into their Web application security approach.
4. Software Throughout the Lifecycle and Across the Enterprise
Organizations need to address Web application security in each phase of the software development life cycle but also to scale assessments across the enterprise. SPI Dynamics’ Assessment Management Platform (AMP) is the first and only available fully distributed and scalable Web application assessment platform for proactive enterprise-wide security risk management and regulatory compliance. It truly enables an organization to cross-reference and encourage cooperation among the activities of developers, QA, and security professionals in their efforts to find and fix Web application security issues.
SPI Dynamics is committed to continue to provide its customers the latest Web application security research and best Web application security and assessment products to ensure that its customers can develop the most secure applications possible.
Caleb Sima is widely known within the Internet security community for his expertise in penetration testing and his ability to identify emerging security threats. He began his security career at the age of 16 for S1 Corporation and then went on to Internet Security Systems as a member of its prestigious X-Force research team. There, he focused on the research and development of security advisories. Some of Sima’s engineered exploits gained media attention in publications such as the New York Times and the Washington Post. His work also has also been featured by US News and World Report, Security World magazine and the Associated Press. It was during his activities as a professional penetration tester that Caleb Sima recognized that most organizations were susceptible to attack through their Web applications. That’s when he envisioned a new technology that could enable organizations – even those that lacked application security expertise – to diligently assess application security risks and effectively remedy the problems. Soon thereafter, Sima began to work on developing the product WebInspect, which would become the foundation for the company he would co-found in 2000: SPI Dynamics Incorporated. To this day, SPI Dynamics’ intellectual property is based on the application security vision with which Sima founded the company. And he continues to lead the SPI Lab’s Research and Development team to hone and perfect the company’s Web application security technologies. In his spare time, Caleb enjoys riding motorcycles and spending time with friends.
Caleb Sima is widely known within the Internet security community for his expertise in penetration testing and his ability to identify emerging security threats. He began his security career at the age of 16 for S1 Corporation and then went on to Internet Security Systems as a member of its prestigious X-Force research team. There, he focused on the research and development of security advisories. Some of Sima’s engineered exploits gained media attention in publications such as the New York Times and the Washington Post. His work also has also been featured by US News and World Report, Security World magazine and the Associated Press. It was during his activities as a professional penetration tester that Caleb Sima recognized that most organizations were susceptible to attack through their Web applications. That’s when he envisioned a new technology that could enable organizations – even those that lacked application security expertise – to diligently assess application security risks and effectively remedy the problems. Soon thereafter, Sima began to work on developing the product WebInspect, which would become the foundation for the company he would co-found in 2000: SPI Dynamics Incorporated. To this day, SPI Dynamics’ intellectual property is based on the application security vision with which Sima founded the company. And he continues to lead the SPI Lab’s Research and Development team to hone and perfect the company’s Web application security technologies.
In his spare time, Caleb enjoys riding motorcycles and spending time with friends.
SPI Dynamics, Inc 115 Perimeter Center Place, N.E. Suite 1100 Atlanta, GA 30346 USA Toll-Free: 1.866.SPI.2700 (1.866.774.2700) Telephone: 678.781.4800 Fax: 678.781.4850
SPI Dynamics, Inc 115 Perimeter Center Place, N.E. Suite 1100 Atlanta, GA 30346 USA
Toll-Free: 1.866.SPI.2700 (1.866.774.2700) Telephone: 678.781.4800 Fax: 678.781.4850
Recommend this to others:
HOME |
ADVERTISE WITH US |
TELL US ABOUT YOURSELF |
UPDATED PRIVACY POLICY |
Copyright © 2006 Silicon Valley Communications - All rights reserved.
