NTOSpider is a Web and application server testing tool that provides both Web application vulnerability scanning and site analysis (site technologies, resources, threat exposure, etc.) capabilities.

The scanning is based on the vendor's proprietary "S3 Methodology," (Safe, Smart Scanning) an automated form of their team's security assesment methodologies. S3 Methodology facilitates features such as Web Server Fingerprinting, the unique identification of each Web server in the environment regardless of obfuscation; dynamic authenticated crawling for automating site interactions within an application; and Java analysis, including the retrieving and decompling of Java applets and analysis of JavaScript scripts to test for secure coding. The S3 Methodology also features the ability to perform context-sensitive testing of application resources; determing the best method to use for the testing of a particular application, such as input validation or poor coding practices. Other types of assessments/tests performed include SQL injections, cross-site scripting, parameter and SSL analysis, authentication testing, source code disclosure, directory browsing, and more.

Results of the scans are presented in the form of HTML reports, which are targeted to the potential audience. The Executive Summary, for example, provides security findings (including positive security controls in place) without technical information; while Details Reports offer the ability to view more technical information by Site/Domain, vulnerability attack class, or risk priority. The platform is able to offer both descriptions and step-by-step remediation instructions for found vulnerabilities.

The Site Analysis report, in particular, is a passive (no actual vulnerability checking) analysis of the site's infrastructure--including its architecture, resources and attributes, and technologies employed--towards the goal of qalifying the site's threat exposure. The Site Analysis report is a graphical depiction detailing such metrics as the use of forms, hidden fields, cookies, authentication, applets, etc., with each resource cross-linked to other report data including vulnerabilities and attributes.

In addition to HTML reports, NTOSpider data is stored in and available via XML for use in third party systems (in fact, all HTML report data is processed from the XML data via XSLT).

Finally, the product's Data Sleuth capabilities enable it to monitor the attack module findings and quantify them via an analysis of the actual data content related to the vulnerability; to determine a meaningful risk priority based on the actual content affected.

NTOSpider is available now. Base pricing starts around $10,000 per copy (one installation for one user), and licensing is not restricted by domain (a single installation may be used by the customer across the organization). Subscription, perpetual, and group/site/enterprise licensing is available.

Contact NT OBJECTives for further information.