Aspect leads the development of many of the leading application security tools for over a decade. Our tools are used by most of the Fortune 500 companies and many others. We develop lots of tools and technologies in the course of our work and we make them free and open through OWASP to ensure that they can help application security programs worldwide.
WebGoat
First released externally in 2002, WebGoat is the world's most widely used web application security training environment. WebGoat makes it easy for developers, architects, managers, and application security specialists to get hands-on experience with application vulnerabilities in a safe manner. Downloaded millions of times and credited with starting the career of many people in the application security industry, WebGoat has been a core component of Aspect's application security training program for over a decade.
WebScarab
WebScarab is a security testing proxy that can be used to verify many aspects of application security in web applications and Web services. Aspect supported the development of WebScarab for many years while the lead developer worked for us. WebScarab is a core component in Aspect's suite of Verification Services tools.
Enterprise Security API (ESAPI)
We need a world where security is less difficult. The mission of the ESAPI Project is to make simple, strong security controls available to every developer in every programming environment. We are currently focused on web environments and have APIs and reference implementations in Java, .NET, PHP, Classic ASP, and more. ESAPI is a core component of Aspect's Implementation Services, where we support development organizations by helping them establish their own standard security controls.
JavaSnoop
JavaSnoop is an Aspect Security tool that allows security testers to easily test the security of Java applications. JavaSnoop is an example of how Aspect is leading the industry in providing Verification Services, and not just for your web applications.
AntiSamy
The OWASP AntiSamy project is a security control that allows developers to safely accept rich HTML data from users, including scripts and CSS, without exposing the site to XSS vulnerabilities. AntiSamy solves what many felt was an 'unsolvable' problem before it was released. AntiSamy is an example of the types of standard security controls that we can help your organization establish or implement or as part of our Implementation Services.
Scrubbr
In 2009 Aspect initiated the development and released at Shmoocon, Scrubbr a BSD-licensed database scanning tool that checks numerous database technologies for the presence of possible stored cross-site scripting attacks. Scrubbr was released in response to the numerous SQL Injection worms released in 2008 that were injecting malicious content into millions of databases connected to the internet behind web applications. Scrubbr allows you to search for and surgically remove malicious content from your database without damaging valid production data.
CSRF Guard
CSRFGuard provides an architectural level solution for CSRF, one of the hardest problems to solve in application security. It provides a shield for your entire web application against this dangerous new category of web application flaws, so all of your developers don't have to provide a CSRF defense mechanism for each individual function within their web applications. CSRFGuard is an example of the types of standard security controls that we can help your organization establish or implement as part of our Implementation Services.
CSRF Tester
CSRFTester gives verification testers the ability to quickly determine if a site is vulnerable to CSRF. It allows testers to record a web site transaction and then replay that transaction at a later time in order to prove whether an external attacker could cause the same transaction to successfully execute as part of a CSRF attack. CSRF Tester facilitates detecting CSRF vulnerabilities and proving to interested stake holders that such attacks actually work, and the damage they can cause.
OWASP CSRF Tester Project Page
Java EE PDF uXSS Filter
Aspect released a filter that prevented exploitation of the Adobe universal XSS flaw (CVE-2007-0045). Many thought that this was impossible to stop at the filter level without changing the content type and changing the way sites used PDFs. Adobe has patched this flaw in the Adobe Acrobat Reader Plugin but site owners need to protect their users that have not yet updated their Adobe Plugin. This filter provides this protection.
OWASP PDF Attack Filter Project Page
Java EE Clickjacking Filter
Aspect donated a filter to OWASP that allows Java EE applications to give IE8 RC1+ users advanced clickjacking protection. Clickjacking is a new web application threat uncovered in late 2008 that most organizations are still struggling to deal with.
OWASP Clickjacking Filter Project Page
JSP Tester
Released in 2009 at Shmoocon, the JSP Tester is an easy to use, freely available tool that can quickly ascertain the level of protection that each component of a JSP tag library offers against Cross Site Scripting (XSS) attacks. Using this tool, development organizations can quickly determine if the library they are currently using, or are considering using, automatically provides XSS protection. If not, they can avoid that library or augment it to fill in the XSS protection gaps in that library.