News Stay informed about the latest enterprise technology news and product updates.

AppScan Web application security scanner enhanced

The first major release since being acquired by IBM, the latest version of Watchfire's AppScan tests for more vulnerabilities and is better able to scan difficult applications such as Flash and Ajax applications.

Users of Watchfire's AppScan who are concerned that their tool would disappear into the depths of IBM after the company was acquired earlier this year can rest a little easier. Today, Watchfire announced a major new release of AppScan -- called IBM Rational AppScan 7.7.

Although the product is part of the overall vision within IBM to provide an end-to-end solution for application security, Watchfire CTO Mike Weider said this release supports AppScan as a stand-alone product.

AppScan sits within IBM's Rational software brand, which has products to help developers create and deliver software. AppScan's integration into that area will help developers using Rational products test for security throughout the software development lifecycle (SDLC) rather than at the end.

Weider stressed, however, that the company will continue to support AppScan as a stand-alone for customers who don't use Rational or IBM products.

"Since the acquisition, 99% of the feedback has been positive. Of the concerns we heard were customers saying they want to know we're going to continue to support it as a standalone product," Weider said. "This [release] will be a strong reinforcement of the fact that we are going to continue."

IBM Rational AppScan 7.7 is targeted mainly at QA engineers and security analysts. An important new feature for those professionals is the enhancement to security tests. AppScan is now able to scan for cross-site request forgery (CSRF), an attack that causes unauthorized commands to be transmitted from trusted Web sites. CSRF attacks have been rising in popularity and are difficult to detect. The product can also better scan applications that have been difficult to test, such as Ajax and Flash applications.

Those features meet the need of the "power" user, Weider said, but AppScan 7.7 also helps IT professionals new to application security.

"A growing number of clients are looking to adopt application scanners who don't have application security experience," he said. "The problem is many scanners are for the power users and can be daunting to those not as knowledgeable. So, education is a huge issue for getting the best use out of the products."

To help educate AppScan users, Watchfire has been investing in and creating an online library. More than that, it has integrated that training into the product. "So, if you don't know what CSRF is, for example, you can educate yourself on what to do if that is detected," Weider said.

The person running the test can also create detailed reports that include a description of the flaw, fix recommendations, sample source code to repair the flaw, and links to online training. The person could then give that report to a developer to fix the flaw, or if he's knowledgeable fix the problem himself.

Other enhancements in IBM Rational AppScan 7.7 include the following:

  • New eXtensions have been added, including Scan Expert Extensions, an eXtensible Panel in the Main Window, and saving manually found issues.

  • IBM Rational AppScan's scan configuration has been re-architected for improved flow efficiency.

  • The product has 44 out-of-the-box compliance reports. New reports include Family Education Rights and Privacy Act (FERPA), Freedom of Information and Protection of Privacy Act (FIPPA) and Payment Application Best Practices (PABP).

For more information, visit the Web site for IBM Rational AppScan.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.