NTOSpider Web Application Security Scanner with Universal Translator Technology Building and managing an application security program is no simple feat. Most security teams today are responsible for securing hundreds of applications, complying with industry and government regulations and keeping up with hacking trends. To make matters worse, these applications continue to evolve. Today’s applications include complex Rich Internet (RIA) front-ends, web services and mobile components, to name a few. Security teams dealing with these challenges of scale and complexity require sophisticated technology designed specifically to address these problems. NTOSpider, featuring Universal Translator technology, is the only dynamic application security testing (DAST) solution available capable of effectively testing today’s complex web and mobile applications and web services. Available as software or SaaS, NTOSpider delivers more thorough analysis, comprehensive application coverage and sophisticated attack methodologies than any other solution available. Most importantly, NTOSpider delivers the best rates in the industry for the elimination of false positive and false negative findings. Key Benefits • Enterprise Ready - NTOSpider is part of a larger suite of products designed to scale for the largest security programs in the world. • Easiest to Use – Sophisticated automation delivers ease of use such that most sites test with a simple point and shoot. • Broadest Coverage - Only DAST solution available that has been re-architected to effectively test rich internet applications (RIA’s), web services and mobile applications that leverage new technologies like REST, AJAX, JSON and GWT. • Best Authentication - Capable of authenticating and staying logged in to even the toughest applications and web services even when other scanners aren’t able to. Universal Translator Technology Only NTOSpider has Universal Translator technology capable of understanding the new formats, protocols and development technologies being used in today’s web services, mobile and modern browser-based applications. Technologies, sequences, and architectures understood by Universal Translator • REST • JSON • GWT • AJAX • HTML4 • HTML5 • Flash Remoting (AMF) • Living in the DOM • True Sequence Support • XSRF Token Tracking The Universal Translator translates them to a common schema and then launches simulated attacks that penetrate the back-end systems where vulnerabilities and threats exist. • Most Accurate – Sophisticated attack methodologies virtually eliminate false positive and false negative findings. • Unparalleled Support – Not your typical help desk! Our technical support team provides personal, effective and timely support. • Interactive Reports – Speed remediation efforts with organized and clickable HTML reports enabling developers to validate vulns and reproduce attacks in real time. • Innovative Integrations – Provides numerous options for pragmatic, secure software development lifecycles through Jenkins, Selenium, Jira and more. • Customization - NTO is committed to getting NTOSpider authenticating and completing scans on even the toughest custom applications. Data Sheet / DAST / NTOSpider Features Scanners were originally built with a crawl and attack architecture around HTML and Javascript. However, crawling is not a concept that works for web services and other dynamic technologies. NTOSpider can still crawl traditional name=value pair formats like HTML, but it has been re-architected to also understand all of the new formats being used in today’s web and mobile applications as well as web services. With NTOSpider, you will have the utmost confidence that you are getting the best false positive and false negative rates available. NTOSpider automates as much of the process as possible and more than any other scanner. We have spent 10 years dedicated to building a sophisticated tool that crawls more of your application than any other and attacks it with a sophisticated approach. Speak Any Language with Universal Translator Technology NTOSpider has the ability to understand the new formats, protocols and development technologies being used in today’s mobile and modern browser-based applications. The Universal Translator translates them to a common schema and then launches simulated attacks that penetrate the back-end systems where vulnerabilities and threats exist. Achieve Broadest Coverage - NTOSpider enables security teams to automatically interpret and scan modern application technologies such as Mobile, JSON, REST, SOAP, HTML5 and AJAX. NTOSpider’s DAST solution includes Universal Translator technology that can automatically detect and attack vulnerabilities that were previously only discoverable by manual testing. Web applications have evolved to be highly complex and dynamic, but scanners have not kept pace. This gap has been growing in recent years leaving application scanners less effective. Easy to Use and Maintain - NTOSpider is one of the easiest scanners to use. It’s designed to be a point and shoot tool. It also includes an auto-update tool that enables users to choose between three configurable automatic update options that give flexibility and control over upgrades. Reliable, Automatic Authentication - NTOSpider is capable of authenticating on complex custom authentication approaches as well as the following web service solutions. (Oauth, HMAC, Integrated NONCE, user defined. Reduce Manual Testing Time - Comprehensive application coverage achieved through Universal Translator, superior client-side JavaScript testing & innovative pre-attack analysis enables organizations to achieve more testing in less time with less manual work. Reduce Configuration & Training Time - NTOSpider auto conducts sophisticated proximity analysis to determine valid data on variable names to get deeper coverage with less tool training. Scan Applications with XSRF Protection - Uniquely performs XSRF token detection. Then, during attack, NTOSpider collects and uses valid tokens during each attack. Automatically Test Application Workflows - NTOSpider is the only application security scanner capable of accurately testing a complex application workflow like shopping cart or application processing. Complex workflows are different than other areas of applications because they require the functionality to be tested in the prescribed order of the workflow (enter credit card data before it’s submitted) and the workflow must best tested in its entirety (last name may not be submitted to database until credit card is processed). NTOSpider can test a complex workflow in order and in its entirety. It’s important to understand that web application security scanners are designed to attack pages randomly because, for most of the application functionality, it’s actually better to attack it randomly. NTOSpider can do both. 2 (877) 686-9327 | www.ntobjectives.com ©2014 NT OBJECTives, Inc. Data Sheet / DAST / NTOSpider NTOSpider Checks For Server and General HTTP • Shellshock (aka The BASH Bug) • CORS (Cross-Origin Resource Sharing) • ASP.NET ViewState Validation • AJAX Auditing • Detection of Client-Side Technologies • Directory Indexing and Enumeration • HTTP Response Splitting • Canonicalization Attacks • Cookie Security • Custom Fuzzing • Path Manipulation - Traversal • Brute Force Authentication Attacks Data Injection and Manipulation Attacks • XPath Injections • LDAP Injection • XML External Entity • Server Side Include (SSI) Injection • Expression Language Injection • Blind SQL Injection • Remote File Include (RFI) Injection • Operating System Command Injection • Parameter Redirection • Persistent XSS • DOM-Based XSS • Cross-Site Request Forgery • SQL Injection • Reflected Cross-Site Scripting (XSS) Sessions and Authentication • Session Strength • Authentication Attacks • Insufficient Authentication • Path Truncation • WebDAV Auditing • Web Services Auditing • File Enumeration • Information Disclosure • Directory and Path Traversal • Brute Force Authentication Attacks 3 Interactive reports enable you to click into each vulnerability to see details and replay an attack or "validate" the vulnerability. Reports Higher Confidence of Results Accuracy - Accurate results derived from comprehensive crawl, sophisticated attack techniques and multiple iterations of validation on all vulnerabilities to deliver the best false positive and false negative rates. Streamline Remediation Efforts - NTOSpider’s sophisticated reports enable you to reduce remediation time and streamline communication with developers. Our reports provide accurate and actionable results that are designed to assist in remediation efforts and to help users quickly get to the data that matters most. With one click, you can drill deep into a vulnerability to get more information. • Consolidate findings by attack types (XSS, SQLi, etc.) • Enable users to further investigate vulnerabilities by clicking on them • Provide the ability to reproduce attacks in real-time • Support XML export for import into your tracking system • Provide analysis for compliance reporting requirements (PCI, FISMA, OWASP, SOX, HIPAA, GLBA, and more) Immediately Patch with Custom WAF/IPS Rules - NTODefend leverages NTOSpider’s results to create a truly custom rule based on knowledge of the application, the WAF/IPS and the vulnerability. (877) 686-9327 | www.ntobjectives.com ©2014 NT OBJECTives, Inc. Data Sheet / DAST / NTOSpider Integrations Selenium - Most enterprise testing teams already use test automation tools & scripts such as Selenium to create repeatable tests that can be executed in conjunction with nightly application builds. It only makes sense to integrate security tests into this as well so that security tests can run automatically every time the application changes. This is a great way to catch application security vulnerabilities early in the SDLC. Continuous Integration (CI) – Many organizations are pushing development to use Continuous Integration (CI) solutions to streamline QA efforts and to reduce time to market. Security teams are wise to find ways to plug their scanning activity into the CI to ensure that every build is security tested before it goes into production. NTOSpider can fit into your CI environment because it works well in “point and shoot” mode and offers open API’s for running scans. (Jenkins plug-in available) Jira, Archer, HP Quality Center - NTOSpider is capable of automatically adding tickets to several popular bug tracking systems including Jira, Archer and HP Quality Center. Coverity - NTO and Coverity have partnered to deliver the first Interactive Application Security Testing (IAST) solution built on a “developer-ready” platform. With this integration, the results from NTO’s DAST solution, NTOSpider, are integrated into the development workflow of Coverity’s Static Application Security Testing (SAST) solution and then automatically correlated, enabling security teams to find and fix security defects earlier in the lifecycle and improving collaboration between security and development teams. Threadfix - Denim Group’s ThreadFix application vulnerability management platform can now import the results from NTOSpider – enabling you to compare and analyze the results of other testing efforts, and have a more complete picture of your application security testing program. Free Trial Request a free trial of NTOSpider and compare scan coverage via your server logs to your scanner's detailed traffic reports. We are confident that the logs will show clear evidence of NTOSpider scanning places in your application that your existing solution isn’t covering. 4 (877) 686-9327 | www.ntobjectives.com ©2014 NT OBJECTives, Inc.
© Copyright 2024 ExpyDoc
