Home » Press Releases Watchfire Releases Industry's ...

Press Releases by JavaScriptSearch


Watchfire Releases Industry's Most Extensible and Customizable Web Application Vulnerability Testing Solution and Launches New Open Source Community for Developing New Scanning Capabilities


April 17, 2007; 02:22 AM
Continuing its lead in web application vulnerability testing, Watchfire today introduced the industrys most flexible web application security solution, Watchfire® AppScan® 7.5. AppScan 7.5 introduces the AppScan eXtensions Framework (AXF) to harness the power of Watchfires patented application scanning engine. Coupled with Pyscan, a new AppScan Python®-Scripting based web application security testing platform, security professionals can rely on AppScan 7.5 to customize, extend and create their own custom testing solution that uses the core technology of AppScan to accomplish specific security-related tasks. In addition, the company also launched the AppScan eXtensions open source community that lets security professionals benefit from the expertise of all AppScan users.

Todays changing market requires flexibility. AppScan 7.5 is the first product in the industry to make the technical leap from just a scanning tool to a security testing platform, cementing web application security to all parties involved in application creation. AppScan can now address application security vulnerabilities for users across the entire Software Development Life Cycle (SDLC), from non-security professionals to the most serious power user. Coupled with todays introduction of AppScan QA, (http://www.watchfire.com/news/releases/04-16-07b.aspx) designed to simplify security testing for development and quality assurance teams; Watchfire completes its vision of integrating web application security throughout the SDLC.

Jyske Bank A/S insists on secure web applications that protect the confidential information and assets of our customers, said Dennis Panduro Rand, IT-security & Compliance, Jyske Bank A/S. AppScan is currently one of the best solutions on the market to address our large and very complex web applications. It has become an integrated component of our implementation process for developers. We use AppScan to verify the security of our applications and are excited about the flexibility and the new and powerful advancements in AppScan 7.5 as our security testing requirements continue to grow. The new AppScan eXtensions Framework is a significant distinction for AppScan and represents an important step forward, further building on the overall productivity and capability. This gives us the strength to develop tools and scripts that directly connect with the AppScan SDK.

AppScan eXtensions Framework Extends AppScan Feature Set

AppScan 7.5 introduces a revolutionary new AppScan eXtensions Framework (AXF) that allows users to extend the AppScan feature set. AXF gives users the ability to create anything from a minor utility that performs simple tasks, to a full blown application that performs many complex actions, all based on AppScan data or functionality. By leveraging the potential that AXF provides, users can customize AppScan to meet their exact needs by using or creating their own eXtensions.

With AppScan 7.5, Watchfire has really opened up the full power of the AppScan engine to our users, said Michael Weider, founder and chief technology officer of Watchfire. With a customer base that makes up nearly a third of the global market share, our customers have great ideas on how to customize AppScan to even better address the unique challenges they face on the front lines of security every day. Watchfire's eXtensions community and website is all about innovation. Our customers can now create and share their own extensions, and collaborate together on new ways to leverage the new open flexibility of AppScan.

Samples of AppScan eXtensions immediately available for download today include:

  • QA Defect Logger Export security defects into leading quality assurance issue-tracking systems including HP Quality Center and IBM® Rational® ClearQuest®;
  • Microsoft® Visual Studio® Team System Defect Export - Export issues from AppScan directly into Visual Studio Team System (created by Dan Cornell, Denim Group);
  • WordReporter Generate customized and editable reports based on Microsoft Word templates;
  • Mail-E-Vent Receive email notifications when certain AppScan events occur during the scan;
  • HTTPScout Leverage NMAP to locate open HTTP or HTTPS ports on the scanned web server, adding them to the current scan configuration with a single click;
  • DirectoryList-To-EXD Import a list of any files from the web server including web pages, include files and others into AppScan to improve coverage (created by Dennis Rand, Jyske Bank A/S);
  • QuickSearch Extension Search issue types with a right click, covering online databases like Google, SecurityFocus and others (created by Oliver Ng, Deloitte & Touche LLP).

Watchfire Involves Web Application Security Community

Also today, Watchfire launched its AppScan eXtensions Framework community website (http://axf.watchfire.com) to facilitate this collaboration. The AppScan eXtensions Framework community is a new online destination where Watchfire users can exchange extensions developed to solve specific security testing challenges, and its open nature allows them to build upon each others work. Watchfires development team, customers and select partners have developed several new extensions as well as functional extensions to further extend AppScans capability.

AppScan userswhich comprise nearly one-third of the global market share for web application security scanningare invited to submit their own extensions. All third-party extensions submitted to the site will be governed by the open-source Apache License, version 2.0.

Pyscan Automates Manual Testing

For further flexibility and automation, AppScan 7.5 offers Pyscan for real-time, targeted testing in the Python scripting language. Python scripts are a popular tool for penetration testers to complement automated tools with manual testing efforts. Now Pyscan provides a full integration of Python scripting within AppScans configuration framework to combine those manual efforts with the benefits of automated security testing to reduce testing efforts. Through Pyscan, the user can harness core web application scanning functions such as the AppScan Advanced Session Management, reporting and scanning engine to customize a scan to a specific audit. By merging AppScan and Python scripting, Watchfire customers witness a turbo effect by automating more manual testing tasks, improving accuracy of those tests, saving testing time and enjoying new capabilities previously not available through manual checks alone.

AppScan 7.5 is an expert application security auditors dream, said James Landis, Application Security Practice Manager at FishNet Security. The exposure of the scanning engine to the Python scripting environment will speed up the many tedious tasks that in the past had to be done by hand or with inefficient third-party code. Watchfire's emphasis on organization of findings around the remediation effort will help companies transition from bug-finding and not knowing how to address the problems to successful reduction of business risk.

In addition to AppScan eXtensions, Watchfires AXF community portal will also host Pyscan script functions. Samples of new scripted capabilities now available to AppScan users include:

  • HTTP Fuzzer Send tests in loops to automate the fuzzing of ranges of parameters, cookies or other parts of an HTTP request;
  • Scriptable Rules Prepare files or functions with predefined analysis procedures when necessary, such as looking for credit card numbers in e-commerce sites;
  • Find Suspicious Content Look for patterns in discovered content or Embedded (Sticky) XSS.

Python scripting is often used by penetration testers, and as a group we are always looking for non-restrictive ways to further adapt and extend our techniques. With its new Python scripting functionality in Pyscan, plus the AppScan eXtension Framework, AppScan now provides ways for us to automate some of our application security testing requirements and provides limitless possibilities for penetration testers. It is truly an enabling product for us, said Konstantinos Karagiannis, Senior Ethical Hacking Consultant, BT INS.

Additional AppScan 7.5 Enhancements:

Beyond AppScan eXtensions Framework and Pyscan capabilities, which extend the flexibility and customizability of AppScan, AppScan 7.5 includes a number of enhancements to improve performance, accuracy, usability and reporting functionality. Featuring native Windows Vista support, AppScan offers a new welcome screen, with immediate access to pre-defined scans to simplify basic processes.

Watchfire continues to provide complete vulnerability scanning associated with the latest Web 2.0 technologies and includes enhanced AJAX support, (complete with custom-tailored handling and testing of parameters of the JSON protocol and Web Services, the dominant protocols in AJAX) as well as advanced JavaScript and Flash. The industry's most comprehensive compliance reporting solution, AppScan includes 40 out-of-the-box compliance reports, including the latest Payment Card Industry (PCI) compliance update and new NERC and Basel II support.

Additional functionality added in AppScan 7.5 includes:

  • Adaptive Test Process Providing a significant performance boost by automatically understanding the environment and then filtering out irrelevant tests, providing unmatched performance and accuracy;
  • Customizable Advisories and Fix Recommendations Allowing for flexibility and annotation for organizations and security consultants;
  • Concurrent Scanning Improving user productivity by allowing multiple scans, or remediation efforts on one scan while other scans are active;
  • Advanced Configuration Options Empowering the user with greater flexibility and control of all possible configuration items;
  • Non-vulnerable Reporting Allowing users to capture, review or retest any passed tests that need further attention. In addition, a report false negative capability has been added to allow the reporting of suspected missed tests.

Pricing and Availability

Watchfire AppScan 7.5 is immediately available. Pricing for AppScan starts at $14,400.

For more information and to download an evaluation copy please visit: https://www.watchfire.com/securearea/appscan.aspx

The AppScan eXtensions community is also live with todays launch and can be accessed at http://axf.watchfire.com.

About Watchfire

Watchfire is the leading provider of web application security software and the only company to offer an end-to-end solution including intelligent fix recommendations to evaluate, understand and resolve issues. More than 800 enterprises and government agencies, including AXA Financial, SunTrust, HSBC, Vodafone, Veterans Affairs and Dell rely on Watchfire to identify, report and help remediate security vulnerabilities. Watchfire has been the recipient of several industry honors including: winning an unprecedented three out of five 2007 SC Magazine Excellence Awards (including Best Security Company); the HP/IAPP Privacy Innovation Award; Computerworlds Innovative Technology Award; winner of the Dr. Dobbs 2007 Jolt Product Excellence Awards; and Recommended rating by Computer Reseller News. For two years in a row, Watchfire has been named by IDC as the worldwide market share leader in web application vulnerability assessment software. Watchfires partners include IBM Global Services, Fortify, PricewaterhouseCoopers, Sapient, Microsoft, Interwoven, EMC Documentum and Mercury. Watchfire is headquartered in Waltham, MA. For more information, please visit www.watchfire.com.

Watchfire, WebXM, AppScan, PowerTools and the Flame Logo are trademarks or registered trademarks of Watchfire Corporation. All other products, company names, and logos are trademarks or registered trademarks of their respective owners.

Advertisement

Partners

Related Resources

Other Resources

arrow