This article can also be found in the Premium Editorial Download "Information Security magazine: Nine tips to guarding your intellectual property."
Download it now to read this article plus other related content.
REVIEWED BY PHORAM MEHTA
Price: Starts at $14,400; Reporting Console (including AppScan 7.0) starts at $35,000
The failure to incorporate sound security practices into software development has left business-critical Web applications open to attack, but that's changing as corporations adopt secure coding requirements. To that end, Watchfire's AppScan 7.0 provides sound application security testing for developers, quality assurance teams and penetration testers.
To initiate a scan, a wizard walks you through the information required, from assessment type (Web application or Web service), starting URL, login parameters, test policy (default, app only, infrastructure, invasive) and scan options (full scan or explore/crawl). There are plenty of advanced settings and customization options, like two-factor recorded login and privilege escalation.
There are more than 75,000 individual security checks distributed across various policy files; advanced users can create custom tests in a few steps.
Above all, AppScan gives you a single interface to open all the tools and techniques required to test your Web apps. Users have lots of options, from customizing existing policies to recording two-factor login information. Unfortunately, the login information is not stored in an encrypted format.
We ran the tool against two production Web applications, both of which handle sensitive data and use different application and infrastructure technologies. AppScan discovered common issues, and a few subtle flaws.
We weren't blown away with the scanning speed, but were impressed with the adaptive scanning technique: Once the tool determines that a particular technology, say IIS, is not used, it removes all the corresponding tests from the queue.
If you elect to report a false positive to Watchfire, AppScan generates an unencrypted email to the tech support team, so be sure to scrub any sensitive data from the files before sending the email.
AppScan Reporting Console (sold separately) enables users to consolidate vulnerability data into one centralized location to better control who has access to sensitive data. Because it is Web-based, you can create dashboards and for multiple users, such as QA and development.
Testing methodology: AppScan 7.0 was run multiple times using default and custom settings against two production Web applications based on .NET, PHP, Apache Tomcat, Oracle and others.
This was first published in May 2007