Application security testing continues to be a challenge for many organizations. Between the sheer volume of applications and the manual processes still required, security testing can quickly become a bottleneck. Add to that the difficulty of communicating and tracking application security matters throughout the organization.
Watchfire, with its latest version of the AppScan application vulnerability scanner announced today, aims to automate more of that process and boost communication throughout the software development life cycle (SDLC).
"A lot of companies are still struggling to implement a robust application security testing process within their SDLC and get coverage testing all of their applications," said Mike Weider, CTO and founder of Waltham, Mass.-based Watchfire Corp. Many companies, he said, are testing only about 25% of their applications for security vulnerabilities. "They're looking for tools like ours to be more efficient at the testing process. The other challenge is communication to the rest of the organization—to get the information out there and track it."
AppScan 7.0 offers enhanced automation such as privilege escalation testing and two-factor authentication support, as well as new features for understanding and acting upon the identified security vulnerabilities. In addition, a complementary Web-based Reporting Console, also introduced today, allows users to upload AppScan desktop results to a centralized, Web-based repository and distribute vulnerability reporting and summary metrics across the enterprise.
Testing an application's authorization model can be a manually intensive task with the number of personas, roles and authorizations within a given application, Weider said. The privilege escalation testing feature in AppScan 7.0 automates much of that process. "It's going to be a huge time savings for customers," Weider said.
AppScan 7.0 provides review logs and URLs it traversed so users can reconfigure or test by hand anything in the authorization model that AppScan didn't get to, "but in tests so far it has automated the vast majority of it," Weider said.
While AppScan has traditionally been used on publicly facing Web sites, Weider said the privilege escalation testing opens a new area of focus for AppScan for testing intranets and addressing the growing insider threat organizations face.
The other trend AppScan 7.0 aims to address is the growing use of complex authentication procedures in Web applications, particularly two-factor authentication, which more organizations are starting to deploy as part of their compliance requirements. When AppScan detects that a complex authentication login is required, it will suspend the scan while maintaining the session state and prompt the user to complete the authentication process. Supported authentication methods include two-factor authentication, CAPTCHA, stepped authentication, one-time passwords, USB keys, smartcards and mutual authentication.
Helping developers understand vulnerabilities
The third major area AppScan 7.0 addresses is validation highlighting and reasoning, enabling the user to understand root causes of vulnerabilities and communicate those with developers remediation.
"There is a tenuous relationship between security and developers," Weider said. "Security is trying to get them to fix problems, and developers are under pressure to ship. You want to make sure when you give a developer a problem that it's a real problem, but also give them enough information to fix it." In AppScan 7.0, "we're highlighting in HTTP response streams where in the response stream we flagged, the reasoning is explained more in English-like terms why it's a vulnerability. We're explaining the algorithms for how we tested for a problem."
Once problems are identified, the new Reporting Console has built-in Issue Management functionality to track remediation efforts. And the reporting architecture allows the creation of multiple dashboards to view vulnerabilities in more meaningful ways to the business, such as by application, business unit, and third-party provider.
Weider said the Reporting Console is a bridge for those organizations that don't require the enterprise version of AppScan but want reporting capabilities. In addition, he said, "there is a capability in the reporting server to set central policy around who can scan what and what they can test applications for. Previously, the desktop clients were untethered from the main server."
To help customers get up and running with AppScan 7.0 and the AppScan Reporting Console, Watchfire has also introduced a suite of computer-based training solutions. Pricing for AppScan 7.0 starts at $14,400 and pricing for the Reporting Console starts at $35,000.