Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Product review: Watchfire's AppScan 7.0

Product review of Watchfire's AppScan 7.0, an application security testing tool for developers, quality assurance teams and penetration testers. The security product runs on Windows XP, Vista or 2003 Server.

This article can also be found in the Premium Editorial Download: Information Security magazine: Nine tips to guarding your intellectual property


AppScan 7.0

Price: Starts at $14,400; Reporting Console (including AppScan 7.0) starts at $35,000



The failure to incorporate sound security practices into software development has left business-critical Web applications open to attack, but that's changing as corporations adopt secure coding requirements. To that end, Watchfire's AppScan 7.0 provides sound application security testing for developers, quality assurance teams and penetration testers.

Installation/Usage B+  
The wizard-driven installation took five minutes; AppScan runs on Windows XP, Vista or 2003 Server.

To initiate a scan, a wizard walks you through the information required, from assessment type (Web application or Web service), starting URL, login parameters, test policy (default, app only, infrastructure, invasive) and scan options (full scan or explore/crawl). There are plenty of advanced settings and customization options, like two-factor recorded login and privilege escalation.

There are more than 75,000 individual security checks distributed across various policy files; advanced users can create custom tests in a few steps.

Advanced Features B  
AppScan has tried to create a one-stop solution for Web application and services assessment by incorporating multiple advanced techniques. Tools like HTTP Request Editor, Encode/Decode and Regex Tester come in handy for vulnerability assessment and other QA tests. You can add external tools by linking to the executable.

Above all, AppScan gives you a single interface to open all the tools and techniques required to test your Web apps. Users have lots of options, from customizing existing policies to recording two-factor login information. Unfortunately, the login information is not stored in an encrypted format.

Performance B  
The AppScan dashboard gives users multiple real-time views of the structure, results summary and details of vulnerabilities discovered. The number and severity levels of vulnerabilities are displayed in the bottom taskbar.

We ran the tool against two production Web applications, both of which handle sensitive data and use different application and infrastructure technologies. AppScan discovered common issues, and a few subtle flaws.

We weren't blown away with the scanning speed, but were impressed with the adaptive scanning technique: Once the tool determines that a particular technology, say IIS, is not used, it removes all the corresponding tests from the queue.

If you elect to report a false positive to Watchfire, AppScan generates an unencrypted email to the tech support team, so be sure to scrub any sensitive data from the files before sending the email.

Reporting A  
AppScan's reporting capabilities are as good as we've seen in any tool. Report categories include security, industry standard, regulatory compliance and delta analysis. Each of these categories has multiple templates and options to customize reports. Reports can be exported in numerous formats.

AppScan Reporting Console (sold separately) enables users to consolidate vulnerability data into one centralized location to better control who has access to sensitive data. Because it is Web-based, you can create dashboards and for multiple users, such as QA and development.

Consultants and in-house app security testers will appreciate AppScan's accuracy and efficiency. The reporting options alone are enough to wow management.

Testing methodology: AppScan 7.0 was run multiple times using default and custom settings against two production Web applications based on .NET, PHP, Apache Tomcat, Oracle and others.

This was last published in May 2007

Dig Deeper on Secure software development

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.