Indeed, what about HP QAInspect? I am amazed this product has not taken the Quality Center installation market by storm, or at least as much of the market as QTP has. QAInspect finds most of the same things WebInspect does, has the same report options, most of the same tools, can schedule or run tests from remote QAInspect-enabled hosts, better/richer real-time scan UI than previous QAInspect releases, and has the ability to control or throttle the findings prior to delivery into QC. What's not to love?
Let's look at the QAInspect line. This product was created in 2003/2004 by SPI Dynamics. Their customers came to them because security teams had acquired the shiny new WebInspect scanner, and suddenly all their projects were being held up prior to release due to unforeseen security defects found during pre-production security scans. So the customers wanted something to find these defects themselves, earlier, where they can be fixed more cheaply and without the security team acting so superior. But they had two caveats. One, they did not want to become security experts or ethical hackers themselves. Two, they did not want to be forced to learn and integrate yet another tool. With Mercury's Test Director owning the testing market, SPI Dynamics naturally built "QAInspect for Test Director". They even built a "QAInspect for IBM ClearQuest", but that market was substantially smaller and eventually that product was EOL. In 2007 HP Software acquired Mercury, and then SPI Dynamics, and this same tool became known as "HP QAInspect for HP Quality Center" although it works for either Quality Center (QC) or the new HP Application Lifecycle Management (ALM) product.
Yet when was the last time anyone saw a demonstration on Quality Center or ALM and the presentation even discussed or included security testing? They currently show many other plug-ins that fit the QA auditing mindset (and HP has a lot of great ones in the stable), but security testing still seems to be held at arm's length. It seems that the QA audience still is reluctant to look into security testing, even to this date, and the vendors are not leading them there much either.
The fact is, security testing needs to be done by many more teams than the security office. Who better to know the application under test than the QA group? Who has more manpower and equipment at their disposal? Who already performs or attempts to perform 100% functional code coverage with automated testing? So if that same (overworked) team be augmented with a solution that works inside their current environment and processes and that allows them to fulfill their mandate to produce good software, why has it not been snapped up? By finding defects earlier with an automated scanner, they should see savings in rework time, as well as an improvement to departmental reputations. By testing all of the application for the simpler things, the security team will be able to focus on the tougher application logic issues and serve as an advisory role to the QA group performing security testing.
I will follow this posting up with some entries specifically on working with QAInspect and HP ALM, the latest "version" of Quality Center.
~~ Habeas Data
Showing posts with label QAInspect. Show all posts
Showing posts with label QAInspect. Show all posts
Friday, February 11, 2011
Friday, October 29, 2010
Differences between WebInspect, QAInspect & AMP.
The three dynamic web application security scanner products now produced at the HP Application Security Center (HP ASC) are WebInspect, QAInspect for HP Quality Center, and the Assessment Management Platform (AMP). These were all originally developed by SPI Dynamics and acquired by HP Software in 2007. All share the same vulnerability database that has been in development since 2000, and they share the same scanning engine and auditing framework. They differ on their interfaces and target audiences as will be described below.
A fourth component will be joining these soon, Fortify's code analysis suite of products. This will be integrated and sold via the same development and sales organization, bolstered by the Fortify staff. However, these products have a different heritage/history and target focus. It remains to be seen which vulnerability database will be merged, or if that will be possible given the differences between SAST and DAST testing.
WebInspect
WebInspect was designed with the penetration tester in mind. It is a workstation implementation meaning that it runs on a Windows laptop, PC, server, or Virtual Machine, using a Microsoft SQL database as its scan repository. It offers a variety of automated scan methodologies as well as List-Driven and Workflow Driven (Start Macro) options to feed the crawler. It also offers a Manual method permitting the expert to perform the crawling with their own browser while WebInspect audits either afterwards or during this activity. WebInspect is capable of Interactive scans, helping deal with anti-automation techniques such as virtual keyboards or CAPTCHAs or two-factor client authentication requirements such as US CAC cards or RSA ID tokens.
WebInspect provides substantial raw details on the results beyond the verbose remediation data. The scan results may also be exported to an XML file for transport to other security systems or reporting databases. The Report engine offers a series of canned templates from HP, each with its own sub-options, as well as a Report Designer tool for maximum control over the output. The Compliance reports include twenty-three industry templates as well as its own tool for customizing templates.
The secondary tools included with WebInspect are similar to those any consultant might have in their workbench, but these have been written by HP and integrated into the product. These include a web intercept proxy, a SQL injector, web fuzzer, server profilers, regular expression studio, as well as tools to record login macros or to manage the crawler's form values.
AMP
AMP is capable of performing the same automated crawling and auditing as offered within WebInspect, but not the Manual Step-Mode method. The AMP interface requires only a browser, Firefox or MSIE supported, permitting multiple users to generate reports, review findings, or start assessments via remote connected scan engines known as AMP Sensors. In this respect AMP serves as a shared platform for generating dynamic assessments.
Separately, AMP performs as a collation point for all the web app vulnerabilities and reporting within the entire organization, and WebInspect, QAInspect, and Fortify 360 can all be linked to it for uploading of their scan results. This allows AMP to collect and manage the scan results from these varied input points. Using granular security controls (Hierarchical and Roles Based), AMP can limit the resources and results that particular teams or individuals have access to within the interface. The Roles are linked with the user's existing Active Directory or LDAP authentication system so the AMP administrators do not have to deal with a usernames/password management system.
QAInspect for Quality Center
QAInspect is a mature integration plug-in for HP Quality Center, going back to the days when HP QC was known as Mercury's Test Director. QAInspect came about when QA testers found their security teams were identifying defects with WebInspect that could not be tested in the QA cycle, and effectively delaying product releases. They asked for a tool that would permit them to find these same issues themselves, however it must A) not require them to become security experts and B) not require them to use and learn some new tool. QAInspect is fully integrated inside QC so that these two requirements have been met.
With QAInspect, security testing can be completed earlier in the lifecycle, with the results being automatically generated within QC's Defect Tracking Module. This automatic behavior can be throttled by the user, such as dropping all vulnerabilities to a Staging Area for manual "publish" to QC, rolling up identical vuln types into single defects, or rolling up all vulns per page into single defects. Even though both WebInspect and AMP have the ability to send select findings into QC, QAInspect manages these in bulk. In addition, when all those defects come back marked as "Fixed", the QA tester simply re-runs the same Test Run and all corrected defects will be automatically updated to a "Closed" status.
QAInspect 8.0 offers a management tool permitting the QC project leader to pre-define all aspects of the Test Run templates. This helps the project team utilize QAInspect tests in a uniform manner as their manager requires. QAInspect offers the same Reporting engine capabilities as WebInspect. Furthermore, linking QAInspect with AMP allows the results to not only become defects within QC, but also to have the test results uploaded and included in the AMP Dashboards automatically.
The primary aim of the HP Application Security Center is to enable organizations to perform automated security testing. The products attempt to be organic in their growth and integration options, as well as to provide equivalent results and descriptions. One may acquire them all at once, or piecemeal as needed. The addition of Fortify's solutions should expand the SAST and DAST capabilities and integrations of this product set going forward.
.
A fourth component will be joining these soon, Fortify's code analysis suite of products. This will be integrated and sold via the same development and sales organization, bolstered by the Fortify staff. However, these products have a different heritage/history and target focus. It remains to be seen which vulnerability database will be merged, or if that will be possible given the differences between SAST and DAST testing.
- SAST = Static Analysis Security Testing
- DAST = Dynamic Analysis Security Testing
WebInspect
WebInspect was designed with the penetration tester in mind. It is a workstation implementation meaning that it runs on a Windows laptop, PC, server, or Virtual Machine, using a Microsoft SQL database as its scan repository. It offers a variety of automated scan methodologies as well as List-Driven and Workflow Driven (Start Macro) options to feed the crawler. It also offers a Manual method permitting the expert to perform the crawling with their own browser while WebInspect audits either afterwards or during this activity. WebInspect is capable of Interactive scans, helping deal with anti-automation techniques such as virtual keyboards or CAPTCHAs or two-factor client authentication requirements such as US CAC cards or RSA ID tokens.
WebInspect provides substantial raw details on the results beyond the verbose remediation data. The scan results may also be exported to an XML file for transport to other security systems or reporting databases. The Report engine offers a series of canned templates from HP, each with its own sub-options, as well as a Report Designer tool for maximum control over the output. The Compliance reports include twenty-three industry templates as well as its own tool for customizing templates.
The secondary tools included with WebInspect are similar to those any consultant might have in their workbench, but these have been written by HP and integrated into the product. These include a web intercept proxy, a SQL injector, web fuzzer, server profilers, regular expression studio, as well as tools to record login macros or to manage the crawler's form values.
AMP
AMP is capable of performing the same automated crawling and auditing as offered within WebInspect, but not the Manual Step-Mode method. The AMP interface requires only a browser, Firefox or MSIE supported, permitting multiple users to generate reports, review findings, or start assessments via remote connected scan engines known as AMP Sensors. In this respect AMP serves as a shared platform for generating dynamic assessments.
Separately, AMP performs as a collation point for all the web app vulnerabilities and reporting within the entire organization, and WebInspect, QAInspect, and Fortify 360 can all be linked to it for uploading of their scan results. This allows AMP to collect and manage the scan results from these varied input points. Using granular security controls (Hierarchical and Roles Based), AMP can limit the resources and results that particular teams or individuals have access to within the interface. The Roles are linked with the user's existing Active Directory or LDAP authentication system so the AMP administrators do not have to deal with a usernames/password management system.
QAInspect for Quality Center
QAInspect is a mature integration plug-in for HP Quality Center, going back to the days when HP QC was known as Mercury's Test Director. QAInspect came about when QA testers found their security teams were identifying defects with WebInspect that could not be tested in the QA cycle, and effectively delaying product releases. They asked for a tool that would permit them to find these same issues themselves, however it must A) not require them to become security experts and B) not require them to use and learn some new tool. QAInspect is fully integrated inside QC so that these two requirements have been met.
With QAInspect, security testing can be completed earlier in the lifecycle, with the results being automatically generated within QC's Defect Tracking Module. This automatic behavior can be throttled by the user, such as dropping all vulnerabilities to a Staging Area for manual "publish" to QC, rolling up identical vuln types into single defects, or rolling up all vulns per page into single defects. Even though both WebInspect and AMP have the ability to send select findings into QC, QAInspect manages these in bulk. In addition, when all those defects come back marked as "Fixed", the QA tester simply re-runs the same Test Run and all corrected defects will be automatically updated to a "Closed" status.
QAInspect 8.0 offers a management tool permitting the QC project leader to pre-define all aspects of the Test Run templates. This helps the project team utilize QAInspect tests in a uniform manner as their manager requires. QAInspect offers the same Reporting engine capabilities as WebInspect. Furthermore, linking QAInspect with AMP allows the results to not only become defects within QC, but also to have the test results uploaded and included in the AMP Dashboards automatically.
The primary aim of the HP Application Security Center is to enable organizations to perform automated security testing. The products attempt to be organic in their growth and integration options, as well as to provide equivalent results and descriptions. One may acquire them all at once, or piecemeal as needed. The addition of Fortify's solutions should expand the SAST and DAST capabilities and integrations of this product set going forward.
.
Subscribe to:
Posts (Atom)
