Friday, October 29, 2010

Differences between WebInspect, QAInspect & AMP.

The three dynamic web application security scanner products now produced at the HP Application Security Center (HP ASC) are WebInspect, QAInspect for HP Quality Center, and the Assessment Management Platform (AMP). These were all originally developed by SPI Dynamics and acquired by HP Software in 2007. All share the same vulnerability database that has been in development since 2000, and they share the same scanning engine and auditing framework. They differ on their interfaces and target audiences as will be described below.

A fourth component will be joining these soon, Fortify's code analysis suite of products. This will be integrated and sold via the same development and sales organization, bolstered by the Fortify staff. However, these products have a different heritage/history and target focus. It remains to be seen which vulnerability database will be merged, or if that will be possible given the differences between SAST and DAST testing.

  • SAST = Static Analysis Security Testing
  • DAST = Dynamic Analysis Security Testing


WebInspect was designed with the penetration tester in mind. It is a workstation implementation meaning that it runs on a Windows laptop, PC, server, or Virtual Machine, using a Microsoft SQL database as its scan repository. It offers a variety of automated scan methodologies as well as List-Driven and Workflow Driven (Start Macro) options to feed the crawler. It also offers a Manual method permitting the expert to perform the crawling with their own browser while WebInspect audits either afterwards or during this activity. WebInspect is capable of Interactive scans, helping deal with anti-automation techniques such as virtual keyboards or CAPTCHAs or two-factor client authentication requirements such as US CAC cards or RSA ID tokens.

WebInspect provides substantial raw details on the results beyond the verbose remediation data. The scan results may also be exported to an XML file for transport to other security systems or reporting databases. The Report engine offers a series of canned templates from HP, each with its own sub-options, as well as a Report Designer tool for maximum control over the output. The Compliance reports include twenty-three industry templates as well as its own tool for customizing templates.

The secondary tools included with WebInspect are similar to those any consultant might have in their workbench, but these have been written by HP and integrated into the product. These include a web intercept proxy, a SQL injector, web fuzzer, server profilers, regular expression studio, as well as tools to record login macros or to manage the crawler's form values.


AMP is capable of performing the same automated crawling and auditing as offered within WebInspect, but not the Manual Step-Mode method. The AMP interface requires only a browser, Firefox or MSIE supported, permitting multiple users to generate reports, review findings, or start assessments via remote connected scan engines known as AMP Sensors. In this respect AMP serves as a shared platform for generating dynamic assessments.

Separately, AMP performs as a collation point for all the web app vulnerabilities and reporting within the entire organization, and WebInspect, QAInspect, and Fortify 360 can all be linked to it for uploading of their scan results. This allows AMP to collect and manage the scan results from these varied input points. Using granular security controls (Hierarchical and Roles Based), AMP can limit the resources and results that particular teams or individuals have access to within the interface. The Roles are linked with the user's existing Active Directory or LDAP authentication system so the AMP administrators do not have to deal with a usernames/password management system.

QAInspect for Quality Center

QAInspect is a mature integration plug-in for HP Quality Center, going back to the days when HP QC was known as Mercury's Test Director. QAInspect came about when QA testers found their security teams were identifying defects with WebInspect that could not be tested in the QA cycle, and effectively delaying product releases. They asked for a tool that would permit them to find these same issues themselves, however it must A) not require them to become security experts and B) not require them to use and learn some new tool. QAInspect is fully integrated inside QC so that these two requirements have been met.

With QAInspect, security testing can be completed earlier in the lifecycle, with the results being automatically generated within QC's Defect Tracking Module. This automatic behavior can be throttled by the user, such as dropping all vulnerabilities to a Staging Area for manual "publish" to QC, rolling up identical vuln types into single defects, or rolling up all vulns per page into single defects. Even though both WebInspect and AMP have the ability to send select findings into QC, QAInspect manages these in bulk. In addition, when all those defects come back marked as "Fixed", the QA tester simply re-runs the same Test Run and all corrected defects will be automatically updated to a "Closed" status.

QAInspect 8.0 offers a management tool permitting the QC project leader to pre-define all aspects of the Test Run templates. This helps the project team utilize QAInspect tests in a uniform manner as their manager requires. QAInspect offers the same Reporting engine capabilities as WebInspect. Furthermore, linking QAInspect with AMP allows the results to not only become defects within QC, but also to have the test results uploaded and included in the AMP Dashboards automatically.

The primary aim of the HP Application Security Center is to enable organizations to perform automated security testing. The products attempt to be organic in their growth and integration options, as well as to provide equivalent results and descriptions. One may acquire them all at once, or piecemeal as needed. The addition of Fortify's solutions should expand the SAST and DAST capabilities and integrations of this product set going forward.


No comments:

Post a Comment