Every once in a while, you run into a tool that becomes an essential member of your tool kit, like snort for IDS, Nessus for scanning a network, the new version of Web Inspect by SpiDynamics has become just as essential.
I am not known for plugging any particular product, but I have talked about web inspect in the past, and how useful it is a tool for me to use. I have been fortunate to be in the web inspect beta program now for about 45 days, and have seen the new version of the tool become more robust, easier to use, and quicker.
I am not being compensated by SpiDynamics, but I have coordinated this with the release of their latest and greatest update today. So really you are getting an honest non compensated opinion of the software. While we all have opinions, I have been using this tool for well over a year now and I know how much it has helped me meet delivery, contractual, and other specifications within what I do when doing a security evaluation of a website.
If anyone is checking for security vulnerabilities in web apps, or even just web sites by hand, you can save yourself noticeable time in doing the work by getting a copy of the tool. There is an instant ROI just in the man hour and time savings alone.
How we use it is as part of an automation test harness, to see how the web site will react to various attacks and under pressure of thousands of attack probabilities at any given time. The best part about the tool is that it is relatively smart in how it goes about doing its job. If you have an apache server, its not going to run a pile of IIS checks, if you are not using dot net and using PHP its not going to run a pile of dot net attacks and checks either.
We have also modified the rule base (by changing criticality levels) to reduce the few false positives that we get. There are very few of them, but its great that you can customize the rule base, both priority and otherwise. The even better part is that the program is updated a lot with new attack scenarios, that does not change the original tweaks done to the rule base settings. You don’t need to go back and retweak the rule base, you do it just once.
We use it when we are presenting to the client what is going on, and to prove that what we are talking about is not a hypothetical attack, but one that actually works on their web site, and here is the raw data, now lets reproduce it (right in the middle of the meeting, very attention grabbing at all levels).
Reports can be customized to both management, technical, non technical report structures so that just about anyone can read them.
The GUI interface is also very easy to use (and under the proper scripting, can be run in multiple instances and attached to a test harness to get a lot of work done with automation) as well it can be run from within an automation test harness.
If you have a lot of web sites that you review, or if your outsource company does that kind of security for you, it would be well worth it to have your internal or external security team check this tool out. The URL for the company is http://www.spidynamics.com/.
Add to 
Bookmark Murdok:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
