Watchfire Releases AppScan Enterprise 5 with QuickScan for Developers; First Web-based Solution to Extend Application Security Testing Capabilities Throughout Development

JavaScriptSearch
Wednesday, February 21, 2007; 03:14 AM

Watchfire, the market share leading provider of application vulnerability assessment software and services, announced AppScan Enterprise 5. Based on next-generation technology, this new version further strengthens the power of the industry’s only web-based application security solution for security professionals, and now extends its utility to include a new point and shoot testing tool called QuickScan and integrated Computer Based Training to accelerate the adoption of security testing by QA and development teams.

Current techniques to integrate security testing into the Software Development Lifecycle (SDLC) are failing. Companies are either relying on an overburdened security team to test applications late in the cycle, when fixes are the most costly, or they’re throwing complex tools at QA and development teams expecting them to master security testing with no formal processes and training. Today, Watchfire introduces a powerful new approach to solving this problem and to increase adoption of security testing in both QA and development. Companies need a more complete program for introducing, then optimizing application security testing over time. A program that incorporates user training, testing tools tailored to the unique needs of specific SDLC stakeholders – security, QA, and development, and ongoing services and support. Watchfire calls this program Fanatical Success.™ 

“Organizations are struggling with how to integrate security testing with their SDLC,” said Jim Routh, CISO, Depository Trust & Clearing Corp. “What Watchfire understands is that it’s not just about arming developers with robust vulnerability scanning tools. It’s about providing developers with both accessible technology and accessible education. Only through this combination will developers begin to incorporate vulnerability assessment results into their application development process.”

QuickScan for Developers

With the release of AppScan Enterprise 5, and the introduction of QuickScan, Watchfire’s vision for providing simplified security testing tools for developers is realized. QuickScan has been tailored specifically to meet developers’ unique needs. With QuickScan, developers do not have to be security experts to scan applications for security vulnerabilities. Because there is no configuration required or desktop software to install, developers just point and shoot the web-based QuickScan at their application. Results are presented in a “Developer Task List” format enabling non-security users to rapidly understand what exactly needs to be fixed in order to make the application secure. QuickScan relies on administrator-defined scan templates, so while shielding developers from unnecessary complexity, QuickScan affords security teams with the centralized controls they demand.

“The industry is in wide agreement now that security testing must be built into the SDLC, but too often companies mistakenly throw complex security solutions at developers as the answer,” said Michael Weider, CTO of Watchfire. “It’s simply not feasible to expect developers, who are already overtaxed with go-to-market pressures, to take on the role of security experts too. QuickScan was designed to give developers a hassle-free scanning solution that helps ensure adoption and makes vulnerability assessments a permanent part of the application development process.”

OnDemand, Computer Based Training

Computer Based Training is an ideal way to educate non-security professionals, like developers, on application security fundamentals and product best practices. As a result, AppScan Enterprise 5 delivers integration with Watchfire’s self-service, self-paced training program. Customers now have access to a Training dashboard within AppScan Enterprise 5, where team leaders and executives are able to monitor adoption rates and employee progress by viewing enrollment information, course completion rates and test results. The Training dashboard even provides the ability to correlate training activity levels with vulnerability data for specific business units—fostering healthy competition within organizations to improve application security.

Today, in support of its Fanatical Success program, the company also rolls out new Computer Based Training curriculum tailored specifically for developers, with courses that include “The Importance of Secure Coding;” QA professionals, with courses that include “Understanding and Verifying Scan Results;” and security auditors, with courses that include “How to Create Custom Security Tests.” Since the launch of its Computer Based Training program late last year a significant number of Watchfire sales have included enrollment.

Advanced Source Code Analysis Integration

In addition to a full technology refresh that brings improved scanning, updated architecture, enhanced usability and more, AppScan Enterprise 5 also delivers the ability to automatically correlate application vulnerabilities with source code issues uncovered by Fortify Software’s SCA Suite. The precision of correlated scan results simplifies developers’ workloads by eliminating the burden of having to weed through voluminous code scan results trying to ascertain what issues to fix. With improved visibility into high priority issues, developers are able to more efficiently triage and remediate security vulnerabilities within the development phase of the SDLC. The Watchfire Fortify alliance unites the market-leading black box and white box scanning products, creating a best-of-breed solution for customers.

Highlights of AppScan Enterprise 5’s Next Generation Architecture:

• Advanced scanning capabilities that find vulnerabilities associated with the latest Web 2.0 technologies such as AJAX, as well as advanced JavaScript and Flash
• Manual Explore and Recorded Login features to ensure successful site navigation and complete crawling
• More flexible reporting framework with enhanced searching, grouping and filtering
• More granular controls to lock down scanning and report access so sensitive security data is only available to those who truly need it
• Complete technology refresh with cleaner architecture and improved customization capabilities
• Brand new graphical user interface, providing ease of use for developers

About Watchfire

Watchfire is the leading provider of web application vulnerability assessment software and the only company to offer an end-to-end solution including intelligent fix recommendations to evaluate, understand and resolve issues. More than 800 enterprises and government agencies, including AXA Financial, SunTrust, HSBC, Vodafone, Veterans Affairs and Dell rely on Watchfire to identify, report and help remediate security vulnerabilities. Watchfire has been the recipient of several industry honors including: winning an unprecedented three out of five 2007 SC Magazine Excellence Awards (including Best Security Company); the HP/IAPP Privacy Innovation Award, ; Computerworld’s Innovative Technology Award; finalist for the pending Dr. Dobb’s 2007 Jolt Product Excellence Awards; and “Recommended” rating by Computer Reseller News. For two years in a row, Watchfire has been named by IDC as the worldwide market share leader in web application vulnerability assessment software. Watchfire’s partners include IBM Global Services, Fortify, PricewaterhouseCoopers, Sapient, Microsoft, Interwoven, EMC Documentum and Mercury. Watchfire is headquartered in Waltham, MA. For more information, visit www.watchfire.com.