RealTime IT News

IBM on Fire

Five months after being acquired by IBM, Watchfire is out with its latest release of its security scanning product AppScan.

With the release, Watchfire will try to prove that it can integrate with IBM's Rational product line and that it can also still continue to stand on its own.

"Application security needs to be part of the software process and that was the impetus for IBM buying us," Mike Weider, CTO of Watchfire, told InternetNews.com. "Part of our vision is to create an end to end solution for application security from the early days of development to full deployment and monitoring."

While integration with IBM Rational development product portfolio is ongoing, Weider noted that it's also important that Watchfire continues to service standalone customers that aren't using IBM's other tools.

That's what the AppScan 7.7 release is all about. The new AppScan includes a more robust scanning engine that can identify more vulnerabilities, no matter where they sit in the business applications process.

Weider explained that the state inducer technology in AppScan 7.7 is designed to make sure AppScan properly scans a business process in the right order. For example, you can't test checkout in an e-commerce application until you've got something in the cart.

Weider admitted that in the past that had been a challenge for AppScan, but now the software will now scan applications in the right order. The AppScan 7.7 release also takes aim at a particularly dangerous type of vulnerability that often has been misunderstood.

"There is a new vulnerability that we've been tracking called cross site request forgery. It's a close cousin of XSS, which is the number one vulnerability on the Internet," Weider said. "Cross Site Request Forgery is really about tricking a user to make requests to a third party without realizing they're doing it."

For example, Weider explained that a user could browse to a website with a malicious payload. That payload would make a request in the background that wasn't authorized. It sounds a bit like Cross Site Scripting, but is its own unique vulnerability that hasn't properly been identified in the past.

"The confusion about it is that all sites that all sites that are vulnerable to cross site scripting will also be vulnerable to Cross Site Request Forgery, but the reverse isn't true," Weider noted.

"Even though you may not be at risk for XSS, you could be at risk for forgery. In the past we've had robust tests for cross site scripting and in that regard we'd catch forgery vulnerabilities. But we would not have caught forgery where there is no cross site scripting vulnerability and that's the new capability we've added."

With the AppScan 7.7 release, there is actually one item that is being removed from the product – namely the Watchfire name itself.

"The AppScan brand will remain as the product name but the Watchfire name is being slowly transitioned out," Weider admitted. "We're being integrated into the IBM Rational software brand."

Watchfire has traditionally had two key competitors in the application scanning marketplace, Cenzic and SPI Dynamics. SPI was acquired by HP in June of this year.

Weider is confident however that his group still has an edge over its competitors, thanks to IBM.

"There are two markets for these solutions, within software development groups and within information security groups," Weider said. "Rational has a very broad portfolio of offerings. We have coverage of the complete end to end cycle of how software is created, whereas other vendors don't have that breadth."