contents

software
 
Watchfire Releases AppScan 6.5

Watchfire has released updated versions of AppScan and AppScan Developer Edition (DE). AppScan 6.5 offers expanded security auditing coverage with integrated Web Services scanning, additional regulatory compliance reporting, including new PCI Data Security Standards, and two new ISO reports. AppScan 6.5 also features improved accuracy capabilities to further reduce false positives and new advanced testing features to meet the unique needs of security auditors, consultants and penetration testers.

The adoption of Web Services to perform more critical online transactions has resulted in the urgent need to audit and assess these applications for security vulnerabilities. AppScan 6.5 delivers a Web Services Explorer which lets users examine the different methods incorporated in the Web Service, manipulate input data and examine feedback from the service.

This new capability performs Web Services application scans to simulate application-to-application interactions, as opposed to user-to-application interactions. This feature provides the widest range of advanced SOAP tests resulting in broad coverage of the scanned application. AppScan 6.5 also supports JavaScript execution and parsing and Flash parsing to help ensure all web application technologies are tested.

Visa and MasterCard require retailers - banks, merchants and member service providers - to comply with the Payment Card Industry (PCI) Data Security Standards to help ensure the security and privacy of their members' confidential information. Requirement number six of the PCI requirements states that organizations must develop and maintain secure systems and applications. Failure to comply may result in fines, restrictions or permanent expulsion from card acceptance programs.

The majority of existing PCI efforts have focused on security at the network level, but many of the latest threats are on the web application side (SQL injection attacks, cross-site scripting flaws, etc.). In response, Visa and MasterCard recently announced they will release new security rules for all organizations that handle credit card data. A key part of the updated PCI requirements is aimed at protecting credit card data from emerging web application security threats. Other new PCI updates will require companies to ensure that any third parties that they deal with have implemented proper controls for securing credit card data.

To help organizations identify security vulnerabilities that impact PCI compliance, AppScan 6.5 includes automated support for this mandatory data security standard. The addition of PCI and two new ISO standards - 17799 and 27001 - makes AppScan the industry's most comprehensive compliance reporting solution with more than 34 out-of-the-box compliance reports.

AppScan 6.5 includes a new set of advanced testing utilities that complement manual testing, offering pen testers more power, automation and efficiency.

The new Token Analyzer provides various tests for web application session tokens to determine how secure the application is against session theft. Watchfire's new Authentication Tester is a brute force-like testing utility that detects weak username-password combinations that could be used to gain access to a web application. These new automated tools complement Watchfire's recent introduction of a tailored program which provides penetration testers and security consultants with customized licensing, technical, marketing and sales resources.

AppScan 6.5 further reduces false positives by letting users select specific tests from which it will extract, zip and encrypt non-proprietary information for e-mailing. This feature offers a quick and easy way to send Watchfire feedback directly about tests users believe are false positives. Additionally, this capability provides productivity benefits by enabling users to easily share test information for review with application developers or system managers.

According to research from Gartner, application security is an essential element in the application development lifecycle. The research firm states that through 2008, application security will become an important evaluation criterion, weighted as high as system functionality. Organizations that integrate security into their software development lifecycles will experience an 80 percent decrease in critical vulnerabilities found in their publicly released software or externally facing web applications.

Integrating AppScan and AppScan DE into the software development lifecycle will help organizations eliminate security vulnerabilities early, simplify the remediation process, establish better control and visibility, and save time by improving the productivity of the development, audit and QA teams. AppScan provides integration with testing tools including Mercury Quality Center. AppScan DE seamlessly integrates into the development environment including MS Visual Studio 2005, WebSphere, JBuilder and Eclipse to catch security issues in development.

AppScan 6.5 extends Watchfire's previous benchmark for web application testing with improved capabilities that not only identify critical application weaknesses but also provide intelligent fix recommendations, improving the ease and speed by which users are able to understand, prioritize and remediate critical web application security issues. AppScan 6.5 also further builds on previous user productivity enhancements with improved reporting accuracy, real time view of scan results, screenshots included in reports and enhanced scanning speed.



write your comments about the article :: © 2006 Computing News :: home page