"We are seeing the proliferation of modern applications, and with that, an astounding number of vulnerabilities that simply couldn't be detected with any automated solution," says Dan Kuykendall, co-CEO and CTO of NT OBJECTives. "When you really test them well and get into places where existing scanners can't go, you find a lot of undiscovered vulnerabilities. These new technologies are giving hackers easily exploitable vulnerabilities like SQL injection all over again."
By 2015, consumer purchases via mobile phone and tablets are estimated to reach
$1.3 trillion - quadruple the amount today, forecasts Juniper Research. Today, nearly 30% of all shopping sites are using JSON and another 15% of them are using AJAX. That number is expected to increase exponentially as more developers rely on a potpourri of application technologies to build rich and mobile web applications.
"The same old vulnerabilities like SQL Injection and OS Command Injection are now showing up in new places. Hackers are aware of the deficiencies in scanners and know that organizations simply don't have the time, resources or expertise to manually test all their web applications," says Kevin Mitnick, public speaker, consultant, and author of the recently published, Ghost in the Wires:
My Adventures as the World's Most Wanted Hacker. "What NTO is doing is incredibly valuable and particularly leading edge in a market that has been lagging to keep up."
Today, many web scanners can effectively scan HTML4 sites, but are unable to translate and assess the modern technologies that have become increasingly prevalent and necessary to deliver the rich experience users demand. Such scanners can give security teams a false sense of security by appearing to scan these technologies, but in reality they cannot interpret them or automatically create attacks against them. As a result, enterprises are exposed with undiscovered risk, and security teams are left with very little time to properly find these hidden vulnerabilities. A scan's resulting vulnerability report may appear to give a clean bill of health, but it failed to test the entire application.
NTOSpider addresses this problem, through the use of a new, innovative patent-pending Universal Translator technology. NTOSpider 6.0 has the ability to understand these new formats, protocols and development technologies, translate them to a common schema, and then launch simulated attacks that penetrate the back-end systems where vulnerabilities and threats exist.
NTOSpider Key Benefits
About NTO Spider 6.0
Available today, NTOSpider 6.0 provides the most comprehensive, automated coverage of Mobile, AJAX, SOAP, JSON and other modern application technologies.
NTOSpider 6.0 provides security professionals with the following major benefits:
-- Broader coverage: NTO's new Universal Translator provides rapid, broad
coverage of complex, modern applications with an automated tool
requiring minimal per scan manpower.
o Mobile - Moving beyond just scanning "mobile friendly web
applications", NTOSpider can scan the backend services that power true
mobile applications (those you install on your device). This includes
mobile applications using popular formats including JSON, REST, and
XML, as well as the ability to handle custom formats
o RIA - Dynamically crawls and imports recorded traffic from Rich
Internet Applications including AJAX, JSON, REST, JQuery, GWT, and
Flash Remoting (AMF), in order to automate attacking of these complex
o Web Services - It enables simulated attacks of web services by
detecting the client traffic, to decode and attack popular formats
including SOAP, REST, XML and JSON
-- CSRF protected sites: Performs XSRF token detection to enable collection
and use of valid tokens during each attack.
-- Increased level of automation: Execute repeatable, rapid and
comprehensive automated application security testing
-- Reduces risk: Systematically reduce risk more effectively than ever
before by leveraging a more automated process
-- Frees pen testers: Free up expert pen testers to test the parts of the
application that must be tested manually like business logic.
Additionally NTOSpider 6.0 also includes a new user interface, event-based training macros and improved reporting capabilities and automatic version updates.
For more information or to access a free trial visit www.ntobjectives.com/security-software/ntospider-trial-download-request/
Individuals interested in learning more about web application technologies are invited to access NTO's most recent whitepaper, The Widening Web Application Security Scanner Coverage Gap in RIA, Mobile and Web Services: Is Your Scanner like the Emperor's New Clothes?, a research report that identifies nine common underlying web application technologies in mobile applications, Rich Internet Applications (RIA) and web services being overlooked by today's scanners with practical guidance on how to improve security efficiency and effectiveness with each.
About NT OBJECTives
NT OBJECTives (NTO) is a provider of most automated, comprehensive and accurate web application security software, services and SaaS. NTO has been dedicated to solving the most difficult application security challenges for over 10 years.
NTO's software, SaaS and services solutions are designed to help organizations build the most comprehensive, efficient, accurate web application security program. NT OBJECTIVES is privately held with headquarters in Irvine, CA. For more information visit www.ntobjectives.com or follow us on Twitter @ntobjectives or @dan_kuykendall.