News

Parasoft Adds Penetration Testing to SOAPtest

• By John K. Waters
• June 14, 2005

Few software companies have beat the security-begins-in-the-application-development-process drum louder than automated software testing solutions vendor Parasoft Corporation. “Prevent errors as you write the code,” is the company mantra (if not exactly its slogan). The advent of service-oriented architectures that support wide-scale use of Web services makes that message even more urgent, says Wayne Ariola, Parasoft’s VP of corporate development.

“The fear, uncertainty and doubt factor around application-level security has risen to the point where people are finally ready to act,” Ariola says. “But SOAs add a few complications. Web services expose security vulnerabilities through commonplace flaws, like X-path injections, XML bombs, runtime errors and buffer overflows.”

SOAs amplify the risks posed by buggy software, Ariola says, and companies should take a proactive approach to the challenges of creating a secure service-oriented environment. And that means addressing security vulnerabilities early in the application development process.

“We see that companies are building up their security organizations,” Ariola says. “And that’s great. Unfortunately, executives tend to come at security from an auditing perspective. But that’s too late. By the time the security people get their hands on the application, it’s usually in production or ready to go live.”

Parasoft provides software for eliminating and preventing software errors during the application development and implementation processes. About three years ago, the company introduced an automated error prevention tool designed specifically for Web services, called SOAPtest. (AEP is an industry best practice, developed by Parasoft co-founder and CEO Dr. Adam Kolawa, for automating the development process to help software organizations learn from their and everyone else’s mistakes to prevent errors from being repeated in software.)

This summer, Parasoft released the 4.0 version of the tool suite, which introduced automated, repeatable penetration testing at the message level to detect Web services security vulnerabilities, including SQL injections, XML bombs, parameter fuzzing and XPath injections.

Other new features in SOAPtest 4.0 include:

• UDDI Registry support, including a Query UDDI Tool that can be used to send inquiries to a UDDI registry for verification and validation
• WS-Addressing and WS-ReliableMessaging support, including automatic generation of WS-Addressing and WS-ReliableMessaging headers within the SOAP header
• Test Suite “Wizard” that allows automatic creation of security penetration tests, asynchronous test suites and tests from WSDL, WSIL, UDDI and HTTP traffic
• Load testing improvements, including a bottom-up approach that allows users to define the exact number of virtual users for each profile

“At the end of the day, it’s really an education issue,” Ariola says. “What developers need to understand—and what we have been preaching for years—is that security is a quality issue. It shouldn’t be an afterthought.”

SOAPtest 4.0 is now available for Windows 2000, Windows XP, Linux and Solaris. For more information, go to www.parasoft.com.