Watchfire Adds Ajax Testing, Spots Google Desktop Flaw
Posted on: Thursday, 22 February 2007, 06:00 CST
Watchfire Corp, which takes an ethical hacking approach to uncovering website vulnerabilities, is releasing a new version of its enterprise offering that extends coverage to loosely scripted, highly interactive Ajax-style applications.
The newly released version, Appscan Enterprise 5.0, adds the ability to auto generate Ajax-style applications, and simulates end user interactions, including pauses for steps such as filling out forms.
It also adds some new features aimed at getting QA specialists, and even developers, to get over their reluctance to do security testing. The hang-up of course is that security issues, such as cross-site scripting or buffer overflows, are Greek to developers and testers. It's the type of stuff that security specialists only know.
So Watchfire has added some simplified screens that hide all the complex configuration settings that security can preset ahead of time. And it displays results in tester and developer terms, showing vulnerable pieces of code, as opposed to saying, "cross-site scripting error." And Watchfire has added some training courses aimed at QWA and developers.
Separate from this announcement, Watchfire disclosed a hole in Google Desktop that an intruder could exploit to peer into a victim's hard drive.
Google Desktop is one of those hybrid apps that uses a mixed web-based and locally installed desktop client. So it has the kind of exposure characteristic of a web app, but through its functionality, also penetrates the desktop.
With the vulnerability, a hacker could have gained entrance to the index maintained by Google desktop to literally map out files on the target hard drive.
According to Dave Grant, vice president of product marketing at Watchfire, it's the type of flaw that could impact any kind of hybrid web/desktop app, not just Google Desktop.
Watchfire initially notified Google in private, and only made the public disclosure after Google fixed the flaw.
Source: Datamonitor
Related Articles
- SAFECode Seeks Public Comment on Guide to Secure Development Practices
- Oracle Introduces Oracle(R) Gadget Wizard for Google Apps and Support for Google's Secure Data Connector
- Life360's Mobile Emergency Network Wins Google Android Developer Challenge
- 'Data Stored on the Desktop is a Major Security Risk' Says Symbio Technologies
- Google's Worldwide Developer Day Places Emphasis on 'Mash-Ups'
- Iraqi TV Updates Security Developments, Casualties on 21 March
- Iraqi TV Updates Security Developments on 12 March
- Iraqi TV Updates Security Developments 19 Feb
- Computer Associates Buys Reston, Va.-Based E-Mail Security Developer
- Nokia Security Developer Alliance Adds Four New 'Nokia OK' Applications
 |
 |
User Comments (0)
RSS Feeds