IBM on Fire

Five months after being acquired by
IBM, Watchfire is out with its latest release of its security scanning
product AppScan.

With the release, Watchfire will try to prove that it can integrate with IBM’s Rational product line and that it can also still continue to stand on its own.

“Application security needs to be part of the software process and that was
the impetus for IBM buying us,” Mike Weider, CTO of Watchfire, told
InternetNews.com. “Part of our vision is to create an end to end
solution for application security from the early days of development to full
deployment and monitoring.”

While integration with IBM Rational development product portfolio is
ongoing, Weider noted that it’s also important that Watchfire continues to
service standalone customers that aren’t using IBM’s other tools.

That’s what the AppScan 7.7 release is all about. The new AppScan includes a more
robust scanning engine that can identify more vulnerabilities, no matter
where they sit in the business applications process.

Weider explained that the state inducer technology in AppScan 7.7 is
designed to make sure AppScan properly scans a business process in the right
order. For example, you can’t test checkout in an e-commerce application
until you’ve got something in the cart.

Weider admitted that in the past
that had been a challenge for AppScan, but now the software will now scan
applications in the right order. The AppScan 7.7 release also takes aim at a particularly dangerous type of vulnerability that often has been misunderstood.

“There is a new vulnerability that we’ve been tracking called cross site
request forgery. It’s a close cousin of XSS, which is the number one
vulnerability on the Internet,” Weider said. “Cross Site Request Forgery is
really about tricking a user to make requests to a third party without
realizing they’re doing it.”

For example, Weider explained that a user could browse to a website with a
malicious payload. That payload would make a request in the background that
wasn’t authorized. It sounds a bit like Cross Site Scripting, but is its own
unique vulnerability that hasn’t properly been identified in the past.

“The confusion about it is that all sites that all sites that are vulnerable
to cross site scripting will also be vulnerable to Cross Site Request
Forgery, but the reverse isn’t true,” Weider noted.

“Even though you may not be at risk for XSS, you could be at risk for forgery. In the past we’ve had robust tests for cross site scripting and in that regard we’d
catch forgery vulnerabilities. But we would not have caught forgery where
there is no cross site scripting vulnerability and that’s the new capability
we’ve added.”

With the AppScan 7.7 release, there is actually one item that is being
removed from the product – namely the Watchfire name itself.

“The AppScan brand will remain as the product name but the Watchfire name is
being slowly transitioned out,” Weider admitted. “We’re being integrated
into the IBM Rational software brand.”

Watchfire has traditionally had two key competitors in the application
scanning marketplace, Cenzic and SPI Dynamics. SPI was acquired by
HP
in June of this year.

Weider is confident however that his group still has an edge over its
competitors, thanks to IBM.

“There are two markets for these solutions, within software development
groups and within information security groups,” Weider said. “Rational has a
very broad portfolio of offerings. We have coverage of the complete end to
end cycle of how software is created, whereas other vendors don’t have that
breadth.”

News Around the Web