Watchfire is adding new capabilities and automated wizards to its flagship vulnerability scanning software, AppScan in the first update to product since the company was acquired by IBM in June.
Mike Weider, chief technology officer of Watchfire called the update a signal of IBM's continued backing of the software and commitment to customers that development of new features and toolsets would continue.
"Our customers have been concerned that the products would cease to exist, so this is a reinforcement of the continued commitment we have in our products," Weider said. "We definitely want to integrate with the broader IBM portfolio and at the same time market our products as stand alone offerings."
The market for Web application vulnerability scanning tools was transformed in 2007 when IBM acquired Watchfire and HP acquired SPI Dynamics – the two biggest vendors in the market. Watchfire became a target for acquisition when it acquired the AppScan software along with other technologies from Sanctum in 2004. Since then a large team of developers have been adding features and broadening the target audience of the product, Weider said. Currently 60 developers are assigned to the development team and IBM plans to double that number in 2008 as the product is integrated into IBM's product lines.
Weider called the transition to IBM "manageable" and said there has been little turnover since Watchfire was acquired. IBM has said the Watchfire technology would extend IBM's governance and risk management strategy. Watchfire's operations is becoming part of IBM's Rational development platform, which provides tools for developers to model, design and build Web-based architectures for SOA, systems and applications.
"IBM is smart about this and understands that software acquisitions are more about the intellectual property so they take good care of their new personnel," Weider said. "There are a lot of projects, but thankfully [IBM has] had additional resources they're bringing in internally and externally to offset the increase in the amount of activity going on."
Web application vulnerability testing is becoming an integral part of the overall quality assurance process, said Diana Kelley, vice president and service director at Midvale, Utah-based Burton Group. The acquisition of Watchfire and SPI Dynamics could signal that vendors are thinking more about integrating security into their products, Kelley said recently in a report highlighting the application vulnerability scanning market.
"Web application vulnerability scanners can increase the efficiency and accuracy of the testing process, but they should not be relied on exclusively," Kelley said in her recent report, "Web Application Testing – Protecting the Front Lines."
"There are some problems, such as business logic errors, that the scanners can't find," she said.
AppScan Standard Edition 7.7 is the final update to the software in 2007 and provides automated wizards for less intensive scanning to appeal to less technically savvy IT pros, Weider said. It also adds new capabilities for more intensive scans, making it easier to detect flaws in Ajax-based applications. A new State Inducer feature supports Ajax and Flash programming and assesses multi-step processes within Web-based applications. In the past testers had to manually test multiple form boxes in the testing process, Weider said.
AppScan Standard Edition 7.7 is available on November 19 and sold starting at $14,400. Perpetual pricing is $24,000 plus $4,800 per year for maintenance.