Subgraph is building a software application called Vega.  It crawls websites and analyzes the pages, looking for vulnerabilities and sensitive information.  Concerned about the security of your website or some application you’re deploying?  The automated scanning mode can be used by a variety of users, including the web developers themselves, as a phase in web application QA or deployment.  Vega will also have features for more tactical penetration testing, intended for use by skilled security testers.  Below are some screenshots of the work we’ve done so far. There are three: the scan information interface, an alert and the proxy.

The scan information interface displays a summary of an active or completed scan, and any alerts that were generated.  The user can select a specific alert for more information.

Each alert explains the identified issue in summary and in detail, ranks it by severity, and offers remediation instructions, if possible.

Vega is fully extensible: the modules that run and generate the alerts can be created by users. Existing modules that ship with Vega are easily modifiable.  The modules are written in Javascript and can be added or removed from Vega by simply moving them in or out of the right directory.

The alerts generated by the modules are rendered using XML template files that are also created by users.  Vega will ship with a vanilla suite of as many modules and pre-made alert templates as make sense.  The API is very easy to learn, intentionally designed to facilitate community participation.  Would-be contributors can expect at least one pleasant surprise.

The proxy is meant for instrumentation of the web application during focused penetration testing.  Skilled users will be able to isolate and intercept requests and responses.  They’ll be able to modify them by hand before releasing them, replay them, etc.

Vega itself is written in Java and runs on Windows, Mac OS X and Linux platforms.

More later, thanks.