Web application security firm KaVaDo Inc. beefed up its line of products Tuesday when it announced a new vulnerability-assessment tool for Web applications called ScanDo.
ScanDo approaches and probes Web applications the same way an attacker would and in doing so, discovers vulnerabilities in the applications, reports on them and allows companies to patch the holes, according to Tal Gilat, chief executive officer of KaVaDo.
When testing an application, ScanDo works in three steps: scanning, assessing and attacking, and reporting. First, ScanDo scans the Web application to discover its structure and to check for what features the application uses, such as cookies, passwords or database integration, Gilat said.
Next, ScanDo compiles this information and assesses whether the application is vulnerable to attack, though it does not actually attack the application. In doing so, ScanDo checks all forms, code, scripts and CGIs (Common Gateway Interfaces) for potential vulnerabilities, Gilat said. New vulnerabilities and attack tools are added to ScanDo's arsenal as they are developed through an automatic download, he added. Users can also create, install and run their own attack scripts, written in Visual Basic.
After the assessment phase, ScanDo can actually attack the application to determine whether the initial assessment was correct, Gilat said.
Lastly, he said, ScanDo then generates reports about problems in the application and offers trend reporting to determine the effectiveness of steps taken to fix any problems.
When using ScanDo, a company should run it on a test version of its applications, as running it on the version being used by customers could cause inconvenience or problems, Gilat said.
ScanDo runs on Windows NT and 2000, with a Solaris version planned for the second quarter of 2002. ScanDo costs US$15,000 per year, as a subscription, and is available immediately.
KaVaDo also sells a product which can be used to block Web application attacks, called InterDo.