You know, I am continuously impressed with the solution from SPI called DevInspect. SPI has just released version 4.0 for DevInspect and it continues to be my tool of choice for testing for web application vulnerabilities early in the lifecycle. If you haven't tried the solution, I would highly recommend doing so -- you can checkout the download here [ DevInpsect ].
From my evaluation, I found the following items which are definitely worth mentioning here:
- Hybrid Analysis: will perform both white and black box testing on your applications. Whitebox testing focuses more on the source code analysis and input analysis and the blackbox testing has testing geared towards more of the zero knowledge of the application -- very much an "outside looking in" perspective.
- SecureObjects: The secureobjects technology is fantastic! I was absolutely impressed at the abililty to create regular expressions on the fly and valididate application inputs quickly.
- Brute Force Protection: DevInpsect was able to recognize application level attacks such as SQL Injection, XSS, Buffer Overflows, etc. and block them.
- Brute Protector: In addition to everything above, SPI also offered the ability to protect any discovered controls that are discovered on the page simply by dragging the option from the toolbox. The Brute Protector provided the framework to guard the application and allowed me to respond to the events in the way we wanted to respond.
- Scanning Engines: SPI's tool uses the inherant engines as seen in WebInspect which discovered tons of vulnerabilities in our [test] application.
Those are the notables that we found - you should ABSOLUTELY seek out this solution and give it a test run.