Seeker from Quotium takes a somewhat different approach to application security from most similar products. First, it does code analysis, but not just static code analysis. It injects an agent onto the server. The agent connects to the process and reports the results of any requests sent to the process. They look at data, not just code. If I am an attacker, I am after your data. So Seeker looks closely at how the processes in the application respond to attempted interactions with data.
A solid feature of this product is that it is intended for developers, not for security testers. Seeker integrates nicely with the application development process and is intended to be used by developers. It is industry standard, complying closely with Open Web Application Security Project (OWASP) criteria. And, perhaps best of all, it identifies risks from a business impact perspective. Because it performs export verification, false positives are extremely rare to non-existent.
One starts using Seeker by installing its agent on an application server and teaching it the user’s application. As one works through their application, it learns how it is supposed to behave. Installs should have two users so that admins can look at the interactions between users. Once it learns the application, the user can start applying all of the functionality of the in-house app and Seeker will start its analysis.
|At a glance
Price: Standalone: starting at $30,000; Enterprise: starting at $ 125,000.
What it does: Automated application security testing.
What we liked: Fits nicely with the software development process and is meant to be used by developers.
What we didn’t like: Nothing. This is a useful tool, well thought-out and well excuted for the right user space.
As it finds exploitable targets in users’ applications, it shows the admin the exploit code, describes the exploit and the business impact. It then provides remediation code that can play back the exploit a step at a time, sort of like watching a video of the attacker. This video shows each step of the exploit – line by line – along with the exploit code.
We were especially impressed with the granularity of the technical details that Seeker provides. For example, it is not enough to show that there is a vulnerability that might lead to a SQL injection compromise. Seeker will actually attempt to extract data and if it can, it will report each detail of the exploit, the data, the vulnerability and will then let users play the video back. Finally, Seeker will give the radiation code and admins can retest after fixing the problem.
As we all know, often there are multiple vulnerabilities, sometimes on different pages of the website, that work together to allow an attacker to run a successful exploit. Seeker finds these and correlates between them as it runs its tests. So it analyzes the entire application, end-to-end, rather than just the front- or backend. That includes the web pages, web apps, backend database and the application flow.
The reporting platform is superb, including all vulnerabilities, the OWASP Top Ten compliance of the app, and it saves all of the screen information except that in the video playback of the exploit. Seeker supports Java, dot net, PhP, PSQL and PLSQL. Its agents run in Windows and Unix. The solution is priced reasonably, whether one needs the standalone or enterprise version, and support is substantial. The documentation is straightforward. Overall, if one is writing and maintaining web applications, give this a close look, especially if you are looking at the web security problem from the developer perspective, which, of course, you should be. – Peter Stephenson