Parasoft Adds Penetration Testing to SOAPtest
- By John K. Waters
Few software companies have beat the security-begins-in-the-application-development-process
drum louder than automated software testing solutions vendor Parasoft Corporation.
“Prevent errors as you write the code,” is the company mantra (if
not exactly its slogan). The advent of service-oriented architectures that support
wide-scale use of Web services makes that message even more urgent, says Wayne
Ariola, Parasoft’s VP of corporate development.
“The fear, uncertainty and doubt factor around application-level security
has risen to the point where people are finally ready to act,” Ariola
says. “But SOAs add a few complications. Web services expose security
vulnerabilities through commonplace flaws, like X-path injections, XML bombs,
runtime errors and buffer overflows.”
SOAs amplify the risks posed by buggy software, Ariola says, and companies
should take a proactive approach to the challenges of creating a secure service-oriented
environment. And that means addressing security vulnerabilities early in the
application development process.
“We see that companies are building up their security organizations,”
Ariola says. “And that’s great. Unfortunately, executives tend to
come at security from an auditing perspective. But that’s too late. By
the time the security people get their hands on the application, it’s
usually in production or ready to go live.”
Parasoft provides software for eliminating and preventing software errors during
the application development and implementation processes. About three years
ago, the company introduced an automated error prevention tool designed specifically
for Web services, called SOAPtest. (AEP is an industry best practice, developed
by Parasoft co-founder and CEO Dr. Adam Kolawa, for automating the development
process to help software organizations learn from their and everyone else’s
mistakes to prevent errors from being repeated in software.)
This summer, Parasoft released the 4.0 version of the tool suite, which introduced
automated, repeatable penetration testing at the message level to detect Web
services security vulnerabilities, including SQL injections, XML bombs, parameter
fuzzing and XPath injections.
Other new features in SOAPtest 4.0 include:
- UDDI Registry support, including a Query UDDI Tool that can be used to
send inquiries to a UDDI registry for verification and validation
- WS-Addressing and WS-ReliableMessaging support, including automatic generation
of WS-Addressing and WS-ReliableMessaging headers within the SOAP header
- Test Suite “Wizard” that allows automatic creation of security
penetration tests, asynchronous test suites and tests from WSDL, WSIL, UDDI
and HTTP traffic
- Load testing improvements, including a bottom-up approach that allows users
to define the exact number of virtual users for each profile
“At the end of the day, it’s really an education issue,”
Ariola says. “What developers need to understand—and what we have
been preaching for years—is that security is a quality issue. It shouldn’t
be an afterthought.”
SOAPtest 4.0 is now available for Windows 2000, Windows XP, Linux and Solaris.
For more information, go to www.parasoft.com.
John K. Waters is a freelance writer based in Silicon Valley. He can be reached
at [email protected].