Jeremy Kirk, IDG News Service
Thursday, July 03, 2008 5:20 AM PDT
Google has released for free one of its internal tools used for testing
the security of Web-based applications.
Ratproxy, released under an Apache 2.0 software license, looks for a
variety of coding problems in Web applications, such as errors that
could
allow a cross-site scripting attack or cause caching problems.
"We decided to make this tool freely available as open source because we
feel it will be a valuable contribution to the information security
community, helping advance the community's understanding of security
challenges associated with contemporary web technologies," wrote
Google's
Michal Zalewski on a company security blog.
(http://googleonlinesecurity
ive-web-security.html
Ratproxy -- released as version 1.51 beta -- is quick and less intrusive
than other scanners in that it is passive and does not generate a high
volume of attack-simulating traffic when running, Zalewski wrote. Active
scanners can cause problems with application performance.
The tool sniffs content and can pick out snippets of JavaScript from
style
sheets. It also supports SSL (Secure Socket Layer) scanning, among other
features.
Since it runs in a passive mode, Ratproxy highlights areas of concern
that
"are not necessarily indicative of actual security flaws. The
information
gathered during a testing session should be then interpreted by a
security
professional with a good understanding of the common problems and
security
models employed in web applications," Zalewski wrote.
Google has posted an overview of Ratproxy as well as a download link to
the source code. Code licensed under the Apache 2.0 license may be
incorporated in derivative works, including commercial ones, but the
origin of the code must be acknowledged.
Weak web application security continues to embarrass companies,
potentially causing the loss of customer or financial data.
A 2006 survey by the Web Application Security Consortium found that
85.57
percent of 31,373 sites were vulnerable to cross-site scripting attacks,
26.38 percent were vulnerable to SQL injection and 15.70 percent had
other
faults that could lead to data loss.
As a result, security vendors have moved to fill the need for better
security tools, with large technology companies acquiring smaller,
specialized companies in the field.
In June 2007, IBM bought Watchfire, a company that focused on Web
application vulnerability scanning, data protection and compliance
auditing. Two weeks later, Hewlett-Packard said it would buy SPI
Dynamics,
a rival of Watchfire whose software also looks for vulnerabilities in
Web applications as well as performing compliance audits."
See also
http://code.google.com/p
http://code.google.com/p
No comments:
Post a Comment