RealTime IT News

Douse Application Security Flaws With Watchfire

Call it Web application security scanning made simple.

Watchfire has put the finishing touches on AppScan Enterprise 5, a new version of the company's software platform fitted with a point-and-shoot testing tool and training utilities to facilitate quality assurance.

WatchFire CTO Michael Weider said the Waltham, Mass., vendor developed the latest AppScan edition to stomp out some of the deficiencies organizations are saddled with in detecting vulnerabilities.

Weider said current techniques to integrate security testing into software development are failing because companies lack the manpower to test software security, forcing them to make developers perform security testing without formal training.

He said prior versions of AppScan and products from rival vendors covered about 25 to 50 percent of their applications, and that customers have been calling for more application scanning throughout their organizations.

"We think that Web application security is now entering a new phase of adoption," Weider said in a recent interview with internetnews.com. "It's gone from something that people didn't understand and thought they had covered with firewalls...2007 is about scaling application security programs to test every application for problems."

AppScan Enterprise 5 features QuickScan for Developers, a tool designed to adapt to developers' individual knowledge bases and needs. In short, developers no longer have to be security experts to scan applications for security vulnerabilities using.

QuickScan requires no configuration or desktop software to install: developers merely point and click the Web-based QuickScan at their application to find flaws. Results are returned in a developer task list, allowing non-security experts to ascertain what needs to be fixed to make the application secure.

For additional usability, AppScan Enterprise 5 integrates with Watchfire's self-service training program, where team leaders and executives are able to monitor adoption rates and employee progress.

Other features of AppScan Enterprise 5 include new scanning capabilities to flush out flaws in Web 2.0 technologies such as AJAX, JavaScript and Flash; manual explore and recorded login features for easier site navigation; enhanced searching, grouping and filtering; more granular scanning controls; and a new graphical user interface.

In addition to the enhanced scanning, new architecture and enhanced usability, AppScan Enterprise 5 now lets users correlate application vulnerabilities with source code issues uncovered by Fortify Software's SCA Suite.

This pairing lets users eliminate the burden of having to read through code scan results to determine what issues to fix, allowing developers to better re-mediate security vulnerabilities in software development.

Watchfire competes with SPI Dynamics, Cenzic and a few others in the application security scanning market, which is gaining more traction thanks to the more complex nature of rich applications based on Web 2.0 technologies such as AJAX .

SPI launched Phoenix, the company's next-generation security architecture, before the RSA conference.

Phoenix underpins WebInspect 7, SPI's new Web application scanner. Like AppScan Enterprise 5, WebInspect 7 is more suited to reading AJAX, Flash and other more modern applications for flaws.