Kevin Beaver's Security Blog

What NTOSpider offers the appsec world

I feel like I’ve said it a million times: you cannot rely on just one Web vulnerability scanner. There are simply too many vendors doing too many checks across too many websites and applications. The complexity of what needs to be tested is enormous not to mention the quality of the Web vulnerability scanners on the market (tip: you get what you pay for). Well, NTObjectives’ NTOSpider is a perfect example of a tool that’s going to find a few, sometimes tons, of additional things that the competition won’t uncover. Nice, but it’s such a frustrating reality for those of us working in application security.

Having used NTOSpider off and on for nearly a decade, I’ve found its interface to be very usable. It has some niceties that none of the other scanners have. But, like so many others, it has its frustrating quirks and shortcomings – a few of which I’ll include in my upcoming post about “the perfect Web vulnerability scanner”.

One of the things that stands out to me is NTOSpider’s ability to crawl, effectively, through just about any type of website or application. I spent years with another scanner failing me on some select applications and NTOSpider tackles them with no complaints or questions asked. NTOSpider’s reporting is awesome too…lots of different views are available right inside the UI and it also generates PDFs and HTML versions for you to divvy up among the stakeholders. Speaking of reporting, NTOjectives’  recently announced NTOEnterprise – an add-on that looks promising for bigger shops and those looking to do more in-depth vulnerability management.

NTOSpider has turned up a fair number of false positives for me over the years especially around weak passwords discovered and SQL injection. Even the built-in SQL Invader tool confirmed they didn’t exist. These issues have lessened recently but they still take time to validate…and if you’ve done this enough you know that it’s always a buzz kill to see the mac daddy exploits the scanner is alerting to aren’t really there after all. It keeps us honest though…and makes us earn our keep. I do hate to think of how many non-technical auditors or compliance managers are running such scans (using NTOSpider or whatever tool) and holding the feet of IT/security/development to the fire for no reason at all.

One of the things I like best about NTObjectives: accountability. Sales and support – even if you need to get top dog Dan Kuykendall involved – are always there and eager to please. You’re not going to get that from the big-box guys.

NTOSpider is a good tool to have. If you can afford several Web vulnerability scanners, it should definitely be on your short list. If you go into it with an open mind and an understanding that there is no one best tool, you’ll do fine.