Watchfire is making it easier to integrate Web application security throughout the software development life cycle (SDLC) with its new application security testing tools.
On Monday the company announced Watchfire AppScan 7.5 and AppScan QA, a quality assurance edition of AppScan.
In AppScan 7.5, the company introduces its AppScan eXtensions Framework. The new framework allows users to extend the AppScan feature set, giving them to the ability to create anything from a minor utility that performs simple tasks to a full-blown application that performs many complex actions.
"AppScan 7.5 is designed to help security testers and analysts be more productive," said Michael Weider, CTO and founder of Watchfire. "We had requests for features and capabilities that would have been difficult to provide. So we've created APIs and extensions so they can build the plugins themselves."
AppScan 7.5 will launch with just under 10 extensions. Some of those include XML export, the ability to integrate NMAP with AppScan so companies can merge their network scanning with their application scanning, and the ability to export security defects into leading quality assurance issue-tracking systems such as HP Quality Center and IBM Rational ClearQuest.
Not only that, but Watchfire is open-sourcing the code for the extensions so developers can create new extensions based on those.
Weider said the idea behind these extensions is to help customers create and share their own extensions and collaborate together on ways to leverage the new open flexibility of AppScan. "We're hoping to foster a community," he said.
For further flexibility, AppScan 7.5 includes Pyscan for real-time, targeted testing in the Python scripting language. Weider called it a merger between AppScan and Python that will allow users to use the Python shell to control AppScan from a script. That combination helps automate more manual testing tasks, improve the accuracy of those tests, save time testing and make use of new capabilities previously not available through manual checks.
"This gives users a very customizable way to innovate, and they can take the product in directions we never contemplated," Weider said.
Other AppScan 7.5 enhancements
Other features added to AppScan 7.5 include the following:
- Adaptive Test Process -- Provides a performance boost by automatically understanding the environment and then filtering out irrelevant tests.
- Customizable advisories and fix recommendations -- Allows for flexibility and annotation for organizations and security consultants.
- Concurrent scanning -- Allows multiple scans or remediation efforts on scans while other scans are active.
Incorporating QA into Web application security testing
Traditionally only security testers and security analysts have been responsible for Web application security testing. That's changing as companies start to heed the call to include security testing throughout the development life cycle. With AppScan QA, Watchfire is helping quality assurance engineers become part of the process.
"Currently QA engineers test for functionality and performance. We see that security testing is going to be the third leg of the stool," Weider said.
He said customers have been asking for two models to enable them to use AppScan in QA:
- Integrate AppScan with the software quality management solutions they currently use.
- If testing is done outside of a quality management framework, be able to log defects in a defect-tracking system.
AppScan QA does both of those, Weider said. The tool offers seamless integration with HP Quality Center, enabling QA engineers to make use of AppScan without having to learn a new environment. With it they can automatically create and modify tests, store and share configurations and sessions, produce detailed security defect advisories, and produce detailed defect definitions for the development team so it can quickly solve problems.
AppScan Enterprise will also be integrating with IBM Rational ClearQuest, which will allow development, QA and security teams to work together using ClearQuest as a common defect-tracking system.
On top of that the QA Defect Logger eXtension easily pushes selected security defects from AppScan to customers' QA systems. By right-clicking on an issue, they can open a defect ticket that includes all the required defect information (fix recommendation, request/response, etc.) and that can be edited as appropriate before sending. This new capability further expands the QA process by including gating by the security team.
AppScan QA customers can also make use of the AppScan eXtensions Framework to create their own extensions.
Team approach to application security
By automating the application security testing process, companies can get QA engineers and developers involved in security testing, Weider said.
"Security in teams is going to be more prevalent -- having developers and QA do testing," he said. "Those security experts who have been involved in the testing won't go away, but they'll be able to focus on the larger, complicated security problems that require security expertise."
Weider added that Watchfire sees a layered approach for security testing. Including QA and development "creates a layered defense that creates high-quality software and more secure applications," he said.