Watchfire is upgrading its AppScan software to help customers reduce the amount of time it takes to certify Web application security.
The automated privilege-escalation test in AppScan 7.0 can find flaws that let a machine legitimately logged in to a site trick the application into granting greater privileges. So a customer at an e-commerce site logged in to buy something might be able to gain administrative rights and access account information, for example. The new test can reduce the time it takes to make such tests from two to three days if performed manually to two to three hours, the company says.
AppScan is Watchfire's platform for probing Web site security to gauge how effective it is against attacks from external and internal users. The software is also used by developers to discover weaknesses in new applications.
The AppScan 7.0 release also supports two-factor authentication, making it simpler to run tests against applications that require this type of secure login. Previously, testers had to create special single-factor login exceptions for the testing software to access applications, Watchfire says.
AppScan 7.0 adds reporting that tells testers what problems have been found and what their cause is, making it easier for application developers to fix them. Previously, the software identified vulnerabilities without presenting the cause of them. The company says this is needed by developers to explain why applications require fixing.
Watchfire is also introducing AppScan Reporting Console, which gathers test results from AppScan clients on desktops to create a networkwide picture of vulnerabilities. Before results had to be gathered desktop by desktop in PDF files and sent to developers for analysis.
The software also tracks the status of detected vulnerabilities and whether those vulnerabilities that are believed fixed have been retested. It keeps track of each flaw and the person assigned to deal with it.
The console enables setting centralized test policies that restricts who is allowed to use the testing software and what applications AppScan can be used on. The software essentially tries to hack Web applications, so it is important to keep its use under control, the company says.
Watchfire has also set up computer-based training for AppScan, making it easier and less costly for customers to train staff to use the vulnerability testing tools. Watchfire says analysts using AppScan catch 20 percent to 30 percent more vulnerabilities if they have been trained.
AppScan 3.0 is available now as a free upgrade for current customers with service contracts. For new customers the software starts at US$14,400. The Reporting Console is also available now and starts at US$35,000.