@stake Announces Release 2 of WebProxy

Interactive Security Tool Created by Renowned Security Experts Helps Software Engineers Build More Secure Web Applications

Cambridge, MA, December 17, 2002 – @stake, Inc., (www.atstake.com) the world’s largest independent digital security consulting firm, today announced the immediate commercial availability of @stake® WebProxyTM, a powerful interactive security tool that helps software developers, quality assurance engineers, and security professionals test and enhance the security of Web applications. Sitting between the developer’s browser and the Web application, WebProxy acts as a ‘proxy’ to let the developer observe precisely how the Web application responds to staged attacks, such as those that use buffer overflows, SQL injection, cookie manipulation, cross-site scripting or parameter manipulation. By identifying security vulnerabilities while applications are still in development, companies can cost-effectively improve the overall security of any Web applicatio (1).

“Today’s Web applications are subject to malicious activity by both authorized and unauthorized users,” said Charles Kolodgy, Research Manager for Internet Security at IDC. “To combat this, corporations need to make sure that their applications are designed to protect data as it is being processed and stored.”

Several studies have indicated that it is more cost-effective to address security vulnerabilities in software applications during the development phase versus after the application has been released to customers. If a malicious attack is successful on a Web application that is already in commercial use or production, companies must face costs associated with removing the application from production, assessing the damage to the application and the data it manages, as well as potentially considerable costs associated with loss of reputation and customer confidence that may result from the attack.

“Security in today’s software industry is dominated by a penetrate-and-patch mentality, where the security of an application is more likely to be addressed after it has been released to customers,” said Christopher A.R. Darby, Chairman and CEO of @stake. “As digital security consultants, we’ve helped hundreds of clients rectify Web application security flaws that could have been more easily and cost-effectively addressed during development or quality assurance testing. With the commercial introduction of @stake WebProxy, we’re offering a powerful tool to help companies make immediate improvements in the security of any Web application.”

About the New Release
@stake WebProxy was originally developed as a proprietary tool to be used exclusively by the company’s security consultants on client engagements to assess Web applications for common security vulnerabilities. Since @stake posted the first release of WebProxy in April 2002 as a free, undocumented tool on the company’s Web site, over 20,000 people have downloaded a copy. Because of the overwhelming response, the company has made a number of enhancements to the commercial release, including a new user interface, improved installation, comprehensive new documentation, and powerful new automated testing features.

How WebProxy Works
Designed to act as an HTTP/HTTPS proxy server, @stake WebProxy allows monitoring and manipulation of requests made by the browser to the Web application. @stake WebProxy offers the following features and benefits:

Re-submission and on-the-fly editing of previous requests, which allows the developer to test custom application attack scenarios. Editing capabilities include support for parsing of query parameters, request headers, and POST parameters, as well as cookie editing. Requests can be automatically modified based on a matching regular expression for ease-of-use.
Logging of requests and replies to text files, allowing the developer to maintain a record of past requests for use in regression testing.
Dynamic certificate generation, enabling transparent support for testing SSL-enabled applications.
Cookie management, hashing, and decoding utilities, providing a convenient interface for analyzing encoded application traffic.
Quashing of header parameters, allowing the developer to observe how the application reacts when certain headers are missing.

In addition, the following features have been added to the commercial release:

Automated fault injection or “fuzzing” of request parameters, which can be used to test for SQL injection, directory traversal, cross-site scripting, buffer overflows and character set vulnerabilities.
Support for Proxy Chaining, which allows WebProxy to be used in conjunction with existing proxy servers.
Comprehensive new documentation.
New user interface.
Performance enhancements.
System Requirements

WebProxy can be used to test Web applications that are running on any platform. WebProxy runs on the developer’s client system, which can be any of the following:

Microsoft Windows (Win32) including NT, 2000, and XP
Sun Solaris (SPARC) with X-Windows
Linux (x86) with X-Windows

WebProxy has been designed to work with any Web browser that has proxy support. Release 2 of WebProxy has been tested with Netscape 4.79 and 6.2, Internet Explorer 5.5 and 6.0, and Mozilla 1.1.

Licensing, Pricing and Support
A Free Demonstration & Evaluation version of @stake WebProxy is available at www.atstake.com/webproxy. This version does not support SSL, but developers can test all other WebProxy features using the first three fields of any Web form.

Enterprise Licenses are available to individual or groups of developers building applications for internal use, or commercial off-the-shelf (COTS) applications for sale to customers.

The Single User Enterprise License allows one individual to use WebProxy to test an unlimited number of Web applications, and is offered for $995, which includes one year of technical support and software maintenance.
Multi-user Enterprise Licenses are available for 5 users at $4,725, 10 users at $8,950 and 25 users at $21,000, which include one year of technical support and software maintenance.

After the first year, technical support and software maintenance are available for 20% of the list price. Consulting Licenses are available to professional IT or security consulting organizations.

The Single User Consultant License allows one individual to use WebProxy to test an unlimited number of Web applications for an unlimited number of clients, and is offered for $2,985, which includes one year of technical support and software maintenance.
Multi-user Consultant Licenses are available for 5 users at $14,000, 10 users at $27,000 and 25 users at $63,000, which include one year of technical support and software maintenance.

After the first year, technical support and software maintenance are available for 20% of the list price. Site licenses are also available. Please call us at 617.768.2715 to discuss your requirements.

Special Introductory Offers

For upgraders: WebProxy Release 1 users who place an order for Release 2 by December 31, 2002 qualify for a special upgrade price of $500 for a full Single User Enterprise License. To request the special upgrade pricing, visit www.atstake.com/webproxy.
Free Copy for @stake Academy Students: WebProxy is covered in two @stake Academy courses, “Application Security Principals” and “Cyber Attacks & Countermeasures.” Attendees to either @stake Academy course held between today and March 31, 2003 qualify for a free Single User Enterprise License. To register for a course, visit www.atstake.com/services/education.

Availability & Ordering
@stake WebProxy may be purchased from www.atstake.com/webproxy using MasterCard, VISA or American Express. To submit a purchase order, please send a fax to 617.621.3073, or to place an order by telephone, please call 617.768.2715.

About @stake Security Tools
In addition to WebProxy, the security experts at @stake have authored a number of useful security tools and administration utilities for IT and security professionals, including @stake LC4, the award-winning password auditing tool used by thousands of IT professionals around the world. To find out how to purchase LC4, or for more information, visit www.atstake.com/research/tools.

About @stake
@stake, Inc., the world’s largest independent digital consulting firm, provides digital security services and award-winning tools to secure critical infrastructure and protect electronic relationships. The company’s SmartRiskSM services cover all aspects of security, including applications, critical infrastructure, wireless and wired networks, storage systems, and forensic analysis. @stake consultants combine business experience and technical expertise to create comprehensive security solutions for leading companies in financial services, telecommunications, energy, healthcare, and manufacturing. Using the @stake Security BlueprintTM, clients keep security investments in line with business requirements. Headquartered in Cambridge, MA, @stake has offices in London, New York, Raleigh, San Francisco, and Seattle. For more information, go to www.atstake.com.

1See “The Security of Applications: Not All are Created Equal,” A. Jaquith, @stake, available at www.atstake.com/research/reports.