|
APPLICATION SECURITY
AppScan 7.0
REVIEWED BY PHORAM MEHTA
Watchfire
Price: Starts at $14,400; Reporting Console (including AppScan 7.0) starts at $35,000
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
The failure to incorporate sound security practices into software development has left business-critical Web applications open to attack, but that's changing as corporations adopt secure ...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
coding requirements. To that end, Watchfire's AppScan 7.0 provides sound application security testing for developers, quality assurance teams and penetration testers.
Installation/UsageB+
The wizard-driven installation took five minutes; AppScan runs on Windows XP, Vista or 2003 Server.
To initiate a scan, a wizard walks you through the information required, from assessment type (Web application or Web service), starting URL, login parameters, test policy (default, app only, infrastructure, invasive) and scan options (full scan or explore/crawl). There are plenty of advanced settings and customization options, like two-factor recorded login and privilege escalation.
There are more than 75,000 individual security checks distributed across various policy files; advanced users can create custom tests in a few steps.
Advanced FeaturesB
AppScan has tried to create a one-stop solution for Web application and services assessment by incorporating multiple advanced techniques. Tools like HTTP Request Editor, Encode/Decode and Regex Tester come in handy for vulnerability assessment and other QA tests. You can add external tools by linking to the executable.
Above all, AppScan gives you a single interface to open all the tools and techniques required to test your Web apps. Users have lots of options, from customizing existing policies to recording two-factor login information. Unfortunately, the login information is not stored in an encrypted format.
PerformanceB
The AppScan dashboard gives users multiple real-time views of the structure, results summary and details of vulnerabilities discovered. The number and severity levels of vulnerabilities are displayed in the bottom taskbar.
We ran the tool against two production Web applications, both of which handle sensitive data and use different application and infrastructure technologies. AppScan discovered common issues, and a few subtle flaws.
We weren't blown away with the scanning speed, but were impressed with the adaptive scanning technique: Once the tool determines that a particular technology, say IIS, is not used, it removes all the corresponding tests from the queue.
If you elect to report a false positive to Watchfire, AppScan generates an unencrypted email to the tech support team, so be sure to scrub any sensitive data from the files before sending the email.
ReportingA
AppScan's reporting capabilities are as good as we've seen in any tool. Report categories include security, industry standard, regulatory compliance and delta analysis. Each of these categories has multiple templates and options to customize reports. Reports can be exported in numerous formats.
AppScan Reporting Console (sold separately) enables users to consolidate vulnerability data into one centralized location to better control who has access to sensitive data. Because it is Web-based, you can create dashboards and for multiple users, such as QA and development.
Verdict
Consultants and in-house app security testers will appreciate AppScan's accuracy and efficiency. The reporting options alone are enough to wow management.
Testing methodology: AppScan 7.0 was run multiple times using default and custom settings against two production Web applications based on .NET, PHP, Apache Tomcat, Oracle and others.
|
