Watchfire Introduces AppScan 7.0, Highlighting a Decade of Web Security Leadership

November 6, 2006; 07:03 AM
Watchfire, the market-leading provider of application vulnerability assessment software and services to help ensure the security and compliance of websites, today unveiled AppScan® 7.0, a major new product release that highlights a decade of innovation and leadership since AppScan pioneered the web application security market in 1996.

Security teams are under pressure to keep up with the volume of applications they need to test. They often catch issues late in the software development cycle or not at all. This problem is compounded by the fact that development and QA professionals typically have little or no security expertise and do not fully understand how to fix the issues. AppScan 7.0 was developed to solve these problems and features more advanced application vulnerability scanning and increased testing process automation, in addition to a range of new features to help organizations understand and act upon the web security vulnerabilities found. It provides unmatched visibility and control for security professionals and penetration testers, and introduces root cause identification and communication features to provide developers with logical instructions on how to not only find and fix issues, but also learn from the process.

AppScan 7.0 highlights include:

Enhanced Automation to Further Improve Productivity:

• Privilege Escalation Testing – AppScan 7.0 is the only solution to automate the manually intensive task of testing an application’s authorization model. The AppScan Privilege Escalation Testing exposes vulnerabilities that make protected resources available to unauthorized users. Before AppScan 7.0, this task could take days to conduct manually - now it can take minutes. Internal Watchfire studies have shown an 88% reduction in effort when AppScan 7.0 is used to test an application’s authentication policy.
• Two-Factor Authentication Support – AppScan is the only solution to support the use of complex authentication procedures in web applications. When AppScan detects that a complex authentication login is required, it will suspend the scan while maintaining the session state, and prompt the user to complete the authentication process. Without this capability, web application scanners are kicked out of session, resulting in poor application coverage and increased false positives. Supported authentication methods include two-factor authentication, CAPTCHA, stepped authentication, one-time passwords, USB keys, smartcards and mutual authentication.

New Ability to Action and Communicate Critical Vulnerabilities:

• Validation Highlighting & Reasoning – AppScan 7.0 is the first solution to provide the combination of test validation highlighting, reasoning and difference to demonstrate and explain vulnerabilities. Other scanning solutions hide their testing and reasoning, making it difficult to identify each issue’s root cause. Watchfire has opened AppScan to highlight exactly what issue was detected in which web site response, why it was detected and how it was detected--providing immediate and unmatched transparency which enables the user to efficiently understand the root cause of each vulnerability, communicate it to developers and then initiate the remediation process.
• Identifying the Root Cause of Vulnerabilities – AppScan was the first solution to provide actionable results for developers, with a remediation view that enabled developers to understand the root cause of the problem, not just the symptom. Now, AppScan 7.0 goes even further by providing more automation, control and visibility for security professionals and penetration testers.

“We work closely with our customers and partners to understand their security needs and how we can prioritize our efforts to support their success. We’ve focused upon the breadth of our solutions to ensure the widest application scanning ability, and integration with key technologies in our space. The market responded by adopting our AppScan technology for deployment across nearly a third of the global market,” said Peter McKay, president and CEO, Watchfire. “AppScan 7.0 expands on its core capabilities of vulnerability identification and remediation of developer tasks by empowering the security professional with more automation, visibility and control over web applications' security processes, and the developer with a better understanding of the root cause and how to fix the issues.”

AppScan Reporting Console: Facilitating better understanding, management and control

Also announced today is Watchfire’s new AppScan Reporting Console, a powerful web-based management and reporting dashboard that can be used to manage multiple desktop versions of AppScan as a cost-effective means to establish process and manage security across the enterprise.

As a complement to AppScan 7.0, the Reporting Console empowers users with a means to set and manage scan permissions across multiple AppScan desktops, and distribute web-based vulnerability reports across the enterprise, arming users with metrics and explanations of where vulnerabilities are found and how to fix them. Users are able to consolidate application security scan results and create a central repository of the company’s web application vulnerabilities in order to establish policy and process for managing remediation. This gives administrators more control over assignment of tasks, the ability to track remediation progress, and generate/distribute a wide variety of customized reports. Users can also leverage the Issue Management features in the Reporting Console to ensure they are tracking vulnerabilities from detection through to remediation.

For more information, visit the following link to see the AppScan Reporting Console press release: http://www.watchfire.com/news/releases/11-06-06b.aspx

“Identifying and fixing security issues piecemeal isn't enough. Today's attacks invariably exploit the same core vulnerabilities, because it's difficult for organizations to successfully integrate security capabilities within the software development lifecycle,” said Charles Kolodgy, research director, Security Products at IDC. “To solve this problem, security professionals need more power and control which can be available from sophisticated and automated scanning capabilities. Developers need direction on how to fix security defects in software applications, in tandem with logic behind why vulnerabilities exist. For strong risk mitigation associated with web application security, organizations should invest in automated solutions that lend more visibility for both auditors and developers to identify, communicate, and remediate these critical issues.”

AppScan 7.0 continues Watchfire’s commitment to make the security professional more successful, with even more automated capabilities, granular control, more open visibility and enhanced user interface functionality for powerful and efficient use. The ability to generate actionable reports provides penetration testers and security professionals with a stronger offering to provide their clients, and by leveraging the new AppScan Reporting Console, security professionals and developers can further leverage new levels of enhanced communication and sharing of information across the organization that were previously only available with Watchfire’s enterprise product.

Watchfire continues to provide complete vulnerability scanning for modern and complex web sites, with broad web services scan coverage, extended AJAX (Asynchronous JavaScript and XML) support and ability to scan even the largest enterprise web properties. The industry’s most comprehensive compliance reporting solution, AppScan includes more than 34 out-of-the-box compliance reports, including the latest Payment Card Industry (PCI) 1.1 compliance update. For more information, including technical features and details, please visit: http://www.watchfire.com/resources/appscan70-overview.pdf

Watchfire Introduces OnDemand Training

Watchfire has also introduced a new suite of computer based training solutions in support of AppScan 7.0 and AppScan Reporting Console, facilitating user expertise in web application security. Leveraging a decade of expertise and best practices developed from hands-on customer deployments in many of the world’s most challenging and complex websites, Watchfire has packaged a new suite of training offerings to give customers the knowledge they need to succeed. The convenient self-paced computer based training (CBT) modules provide everything from basic web application security to specific advanced use of AppScan. These modules can be reviewed at any time for refresher training, providing knowledge on demand. Watchfire experts are also available for application scanning assistance.

Pricing and Availability

AppScan 7.0 will be generally available for download on November 20, 2006. Pricing for AppScan 7.0 starts at $14,400. To register to evaluate AppScan 7.0 when it’s available on November 20, please visit: https://www.watchfire.com/securearea/appscan.aspx

About Watchfire

Watchfire provides Online Risk Management software and services to help ensure the security and compliance of websites. More than 800 enterprises and government agencies, including AXA Financial, SunTrust, HSBC, Vodafone, Veterans Affairs and Dell rely on Watchfire to audit and report on issues impacting their online business. Watchfire has been the recipient of several industry honors including the HP/IAPP Privacy Innovation Award, InfoSecurity Product Guide’s Hot Security Company 2006, Computerworld’s Innovative Technology Award, and "Recommended" rating by Computer Reseller News. Watchfire was named by IDC as the worldwide market share leader in web application vulnerability assessment software. Watchfire's partners include IBM Global Services, PricewaterhouseCoopers, Sapient, Microsoft, Interwoven, WebTrends, EMC Documentum and Mercury. Watchfire is headquartered in Waltham, MA. For more information, please visit www.watchfire.com.