Application security vendor Watchfire is opening up its AppScan product to help extend its vulnerability scanning capabilities.

The new AppScan 7.5 release is not open source itself, though Watchfire is including an extension framework that it's hoping will leverage the power of open source community and collaboration.

"We're taking a bit of a different departure with AppScan 7.5 -- normally we're focused on adding a bunch of new features," Watchfire founder and CTO Mike Weider told internetnews.com.

"What we've done instead in this release is focus on building an extension framework that allows our customers and partners to build their own capabilities and to share those online."

AppScan is an application vulnerability testing product suite that enables users to identify potential security risks in applications. In the AppScan 7.5 release, Watchfire is including a free API (define) and an SDK (define) to help users build extensions. Watchfire is getting the ball rolling by providing 10 extensions, which will be licensed under the open source Apache 2.0 license.

The code will also be on the Google Code open source code repository Web site in a bid to help grow a community of users.

Though Watchfire is taking an open source approach to extensibility, that same approach doesn't apply to the core AppScan product itself.

"You'll still need AppScan to run the extensions so it makes the underlying platform and product more valuable to a wider group of people," Weider said. "We're not open sourcing AppScan. That is not part of what we're doing at this time."

In addition to the extension framework, Watchfire is adding Python scripting support to AppScan 7.5. Python (define) is an open source scripting language that is becoming increasingly popular in the security community.

The Pyscan scripting tool in AppScan 7.5 enables users to write and use their own Python scripts in combination with AppScan to perform sophisticated vulnerability testing.

AppScan itself can test for vulnerabilities on nearly any platform that can deliver applications, be it Windows, Unix or Linux, Java or .NET.

"We test applications over HTTP, sort of like how a browser interacts with a Web site," Weider explained. "When you're browsing a Web site with a browser you don't know what platform is behind it and it doesn't matter to you."

"From a scanning and testing point of view the product is generic and can handle any system," Weider continued. "But we do have platform specific rules where we look for specific known vulnerabilities in applications."

Weider noted that, from the data he has seen, most Web sites have some kind of application problem. Among the most prominent are cross-site scripting vulnerabilities and SQL injections.

"Both problems are caused by input validation weakness in applications, though the actual vulnerabilities that can exist vary," Weider said.

AppScan 7.5 follows Watchfire's AppScan Enterprise 5 release, which debuted in February.

"AppScan Enterprise is a means to take the results of the testing that are done in AppScan and pull those results into a central database that allows you to collate all of the results of the testing," Weider explained.

"It also allows for dashboard and metrics creations to track for vulnerabilities by line of business or trends over time."

The Enterprise version also provides a very important failsafe for potential AppScan misuse; AppScan Enterprise also controls access.

"Our product is a bit of a loaded weapon," Weider said. "It's a hacking tool and companies want to restrict who has access to the tool and also what they are allowed to point it at."