Here is something that is not very complicated, but also not well understood by persons first encountering WebInspect, the Trial License process.
Since WebInspect is freely available for download (https://download.hpsmartupdate.com/webinspect/), anyone can install it and request a Trial License. This is done when launching the product for the first time, when the product realizes there is no applied license. A form is offered and the user completes it with a valid e-mail address to receive the 15-day trial key almost immediately via their mailbox. Return to WebInspect, paste in the activation token, and they are off to the races. The Trial version of WebInspect is completely full-featured in all respects except one, it can only scan HP's demo web server, http://zero.webappsecurity.com.
Now this makes sense. As an automated tool that finds flaws in web sites, and whose crawling traffic could conceivably cause undue server load or extraneous effects, WebInspect is essentially a weapon that a L33T script kiddie would love to have for free. So it is hobbled in this one respect. Clients can still exercise its Report engine, configure scans, et al to their heart's content.
Now here's where it gets strange, and many clients and Sales reps seem to misunderstand. The Trial license is not an "Evaluation" license. The Evaluation license is simply the same activation token modified by an HP Sales rep or engineer to permit scans against any desired IP address, as well as extended beyond the simple 15-day period. There is no cost to getting this license either, other than being a serious client and opening a dialog with your HP Sales rep.
Some would say the Evaluation license should never be given out, because the client will just fix their issues and then fade away without purchasing. This is counter to the understanding that security testing needs to be carried out full-time as part of a mature and on-going Software Development Process (SDLC). Sure, the immediate issues were found, but the true value of the tool is in verifying this same correction for all applications, both live and in development, into perpetuity.
As for QAInspect for Quality Center and HP AMP (Assessment Management Platform)? These also offer the Trial vs Evaluation license scenario listed above. Both of these products are a bit more involved in terms of the supporting installations required, so most clients never start off with the Trial licenses without also being in touch with their HP Sales rep.
---
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment