Watchfire Announces AppScan 6.5

July 18, 2006; 01:57 AM
Watchfire, provider of web application vulnerability assessment software and services, released updated versions of AppScan and AppScan(R) Developer Edition. AppScan 6.5 offers expanded security auditing coverage with integrated Web Services scanning, additional regulatory compliance reporting, including new PCI Data Security Standards, and two new ISO reports. AppScan 6.5 also features improved accuracy capabilities to further reduce false positives and new advanced testing features to meet the unique needs of security auditors, consultants and penetration testers.

"Well publicized online security breaches and heightened concerns over regulatory compliance demonstrate the ongoing need for web vulnerability scanning, and more and more companies are standardizing on Watchfire as a result," said Michael Weider, CTO, Watchfire. "Regular vulnerability scanning of web applications is vital to catch issues earlier in the development lifecycle and to monitor to protect against new threats after application deployment. AppScan 6.5 builds on Watchfire's market leadership by addressing emerging customer needs, such as reducing false positives, Web Services scanning and new PCI and ISO compliance reporting. These features, and our commitment to the unique needs of penetration testers, are resonating with international and domestic customers and partners."

New Web Services Scanning

The adoption of Web Services to perform more critical online transactions has resulted in the urgent need to audit and assess these applications for security vulnerabilities. AppScan 6.5 delivers a Web Services Explorer which lets users examine the different methods incorporated in the Web Service, manipulate input data and examine feedback from the service.

This new capability performs Web Services application scans to simulate application-to-application interactions, as opposed to user-to-application interactions. This feature provides the widest range of advanced SOAP tests resulting in broad coverage of the scanned application. AppScan 6.5 also supports JavaScript execution and parsing and Flash parsing to help ensure all web application technologies are tested.

Industry's Most Complete Regulatory Compliance Reporting

Visa and MasterCard require retailers -- banks, merchants and member service providers -- to comply with the Payment Card Industry (PCI) Data Security Standards to help ensure the security and privacy of their members' confidential information. Requirement number six of the PCI requirements states that organizations must develop and maintain secure systems and applications. Failure to comply may result in fines, restrictions or permanent expulsion from card acceptance programs.

The majority of existing PCI efforts have focused on security at the network level, but many of the latest threats are on the web application side (SQL injection attacks, cross-site scripting flaws, etc.). In response, Visa and MasterCard recently announced they will release new security rules for all organizations that handle credit card data. A key part of the updated PCI requirements is aimed at protecting credit card data from emerging web application security threats. Other new PCI updates will require companies to ensure that any third parties that they deal with have implemented proper controls for securing credit card data.

To help organizations identify security vulnerabilities that impact PCI compliance, AppScan 6.5 includes automated support for this mandatory data security standard. The addition of PCI and two new ISO standards -- 17799 and 27001 -- makes AppScan the industry's most comprehensive compliance reporting solution with more than 34 out-of-the-box compliance reports.

New Automated Capabilities for Penetration Testers

AppScan 6.5 includes a new set of advanced testing utilities that complement manual testing, offering pen testers more power, automation and efficiency.

The new Token Analyzer provides various tests for web application session tokens to determine how secure the application is against session theft. Watchfire's new Authentication Tester is a brute force-like testing utility that detects weak username-password combinations that could be used to gain access to a web application. These new automated tools complement Watchfire's recent introduction of a tailored program which provides penetration testers and security consultants with customized licensing, technical, marketing and sales resources.

Improved Reporting Features Further Reduces False Positives

AppScan 6.5 further reduces false positives by letting users select specific tests from which it will extract, zip and encrypt non-proprietary information for e-mailing. This feature offers a quick and easy way to send Watchfire feedback directly about tests users believe are false positives. Additionally, this capability provides productivity benefits by enabling users to easily share test information for review with application developers or system managers.

Security Throughout the SDLC

According to research from Gartner, application security is an essential element in the application development lifecycle. The research firm states that through 2008, application security will become an important evaluation criterion, weighted as high as system functionality. Organizations that integrate security into their software development lifecycles will experience an 80 percent decrease in critical vulnerabilities found in their publicly released software or externally facing web applications.(1)

Integrating AppScan and AppScan DE into the software development lifecycle will help organizations eliminate security vulnerabilities early, simplify the remediation process, establish better control and visibility, and save time by improving the productivity of the development, audit and QA teams. AppScan provides integration with testing tools including Mercury Quality Center. AppScan DE seamlessly integrates into the development environment including MS Visual Studio 2005, WebSphere, JBuilder and Eclipse to catch security issues in development.

AppScan 6.5 extends Watchfire's previous benchmark for web application testing with improved capabilities that not only identify critical application weaknesses but also provide intelligent fix recommendations, improving the ease and speed by which users are able to understand, prioritize and remediate critical web application security issues. AppScan 6.5 also further builds on previous user productivity enhancements with improved reporting accuracy, real time view of scan results, screenshots included in reports and enhanced scanning speed.

For more technical features and details and to download AppScan 6.5 please visit: http://www.watchfire.com/products/appscan/appscansix.aspx

About Watchfire

Watchfire provides Online Risk Management software and services to help ensure the security and compliance of websites. More than 500 enterprises and government agencies, including AXA Financial, SunTrust, HSBC, Vodafone, Veterans Affairs and Dell rely on Watchfire to audit and report on issues impacting their online business. Watchfire has been the recipient of several industry honors including the HP/IAPP Privacy Innovation Award, InfoSecurity Product Guide's Hot Security Company 2006, Computerworld's Innovative Technology Award, and "Recommended" rating by Computer Reseller News. Watchfire was named by IDC as the worldwide market-share leader in web application vulnerability assessment software. Watchfire's partners include IBM Global Services, PricewaterhouseCoopers, Sapient, TRUSTe, Microsoft, Interwoven, WebTrends, EMC Documentum and Mercury. Watchfire is headquartered in Waltham, MA. For more information, please visit www.watchfire.com.