It is with great pleasure that I announce on behalf of HP Application Security Center, the next leap forward in web security products with the release of WebInspect 8.0.  With a long list of features, we hope that you are as fired up about this release as we are.  Below is just a taste of the many improvements you will enjoy.

What's New

• Flash Static Analysis - WebInspect can now decompile Shockwave Flash (SWF) files and then perform static analysis on the resulting ActionScript 3 code, detecting vulnerabilities such as insecure programming practices, insecure application deployment, Adobe “best practices” violations, and information disclosures.

• New Reporting System - WebInspect’s new and powerful reporting system facilitates the presentation of analyzed data. Now you can:

  • Create reports that are flexible, scalable, and faster using an improved generation workflow.
  • Modify standard reports or design your own using our new report designer.
  • Include information from external data sources.
  • Customize fonts, colors, and backgrounds with the new style editor.
  • Generate scan reports with a professional, polished appearance.
  • Focus analysis on a single session with our new session reports.

• Optional Depth First Crawler - Depth-first crawling accommodates sites that enforce order-dependent navigation (where you must visit page A before you can visit page B). This method traces the first link on a page to the first link on the referenced page before returning to the original page and tracing the second link. By contrast, breadth-first crawling (which is also available) follows all the links on a page before drilling down to the pages that are being linked.

• Java Model View Control (MVC) Support- Based on in-depth research by the HP DevInspect for Java team, WebInspect now supports applications built on the Java MVC platform by the use of the Depth First Crawler, Path-based Attacks, and Navigational Parameters.

• Integration with IBM Rational ClearQuest - You can now send vulnerabilities as defects directly to IBM Rational ClearQuest version 7.

• Support for 64-bit Vista - You can now run WebInspect on 64-bit Vista operating systems.

What's Improved

• Significantly Improved Script Processing - WebInspect now handles applications that have heavy client-side JavaScript. As applications move to the client, they become a single page that delivers an application almost entirely written in JavaScript, making it very difficult for a scanner to follow links when crawling the application. Crawling is becoming more about following code paths through the JavaScript, analyzing how the application changes from the user’s perspective, watching AJAX requests and making attacks to the server accordingly. WebInspect 8.0 delivers breakthroughs in JavaScript technology by tracing and recording code paths as subsessions, which are then audited to reveal vulnerabilities.

• Revamped Web Macro Recorder - The Web Macro Recorder is now easier to use and incorporates a new algorithm for determining a logout condition. Once you record the login sequence, the Web Macro Recorder automatically samples the Web site to discover specific keywords that are present when state has been acquired and when it has been lost. This allows the scanner to reacquire state if it inadvertently becomes "logged out." The Web Macro Recorder also now allows you to verify that your macros work as expected before you use them.

• Smart Assessment Fingerprinting - WebInspect is now more accurate than ever when choosing which checks to use against websites.  It runs a series of fingerprint requests to determine the server type, version, and platforms supported.

• Improvements to Start Page - The layout, appearance, and general usability of the page have been improved. It displays new scan attribute columns in the Manage Scans workspace, which improves scan selection. You can also group scans by scan attributes. The Activity Panel is also collapsible to increase your Manage Scans workspace.

• Improvements to Scan View - Excluded hosts and allowed hosts are distinctly grouped, and the Scan statistics panel has been moved to the right of the dashboard for a better look and feel. The Scan Dashboard has an improved layout featuring a prominent scan status, crawl and audit activity indicators with rolling performance counters, script (JavaScript and VBScript) execution indicator, and a listing of attack engines grouped by attack type.

WebInspect 8.0 is currently LIVE on SmartUpdate!

Simply open WebInspect and connect to SmartUpdate, our standard patch channel, and you will automatically receive WebInspect 8.0.

Pre-Requisite Notes:

• Requires .NET Framework 3.5 Service Pack 1
• Requires SQL Server 2005 or SQL Server 2005 Express (free)
• Does not support SQL Server 2008 or SQL Server 2008 Express

More in the release notes.