Even with identity theft making front-page news, many IT executives fail to understand the risks inherent in conducting business online. And for those who do, addressing those risks can seem an arduous challenge given how complex Web sites and Internet apps have become.
With Watchfire WebXM 4.0, however, leaving Web channels out of your overall security strategy is a thing of the past. The solution has evolved from a strong Web quality and accessibility reporter to an all-inclusive application that analyzes sites for more than 245 compliance and security troubles. More than just give visibility into problems via executive dashboards, WebXM allows managers to assign and track specific issues that affect an enterprise's Web presence.
WebXM 4.0 is built around a core Windows .Net application -- with which you schedule scans of your Web environments -- and the reporting engine. Using the hosted version of this solution, I first conducted an automated inventory of several large sections of a corporate site and five international Web sites in their entirety. Setting up scans is quick, with a wizard asking what types of data you want collected. Similarly, "Web spaces" can be effortlessly grouped and given permissions in any way you desire. For example, I placed international sites within logical geographical folders and set user permissions to allow each region's Web manager to view statistics pertaining only to his or her site.
The default Asset Management reports show the expected facts, such as number of pages, technical details about domains and servers, and page age. Yet, the unusual clarity of reports helps you quickly take action. For example, displaying a Network Inventory revealed several servers with SSL certificates close to expiring -- and other sites that had weak, 40-bit certificates when they should have 128-bit encryption.
Digging deeper into the page reports, I had no trouble spotting duplicate pages, nor did I have difficulty finding pages with obsolete information. WebXM's user interface makes it easy to drill down from the overview report to specific pages so that remedial action can be taken to rectify any problems that come up.
To look for more serious issues, I turned to several of the seven optional modules: Security, Privacy, Compliance, Quality, Accessibility, Corporate Standards, and Brand Monitoring. Giving you insight into broken links and slow pages, the Quality module helps you keep visitors returning to your site. Perhaps more important, the Accessibility module performs more than 170 accessibility checks to help you meet the US Section 508 guidelines and the UK's Disability Discrimination Act, though there are no details yet about assistance with acts under Australian laws.
WebXM 4.0 hits its stride helping organizations meet privacy and security regulations. The Compliance module, for example, points out Web forms that don't have proper opt-out language. Other reports inventory third-party links that lack proper disclosures, improper privacy practices, and pages that don't meet specific legislation. This information is essential for e-business, marketing, legal, and other executives accountable for compliance.
There's no overstating the importance of Web application security. Yet the cost of manual and outsourced security testing can be prohibitive -- and still miss risks. For those reasons, I was most impressed with WebXM's Security module. First, reports highlighted potential security glitches that would have to be fixed to meet, for example, Sarbanes-Oxley legislation. The system provides detailed information for each issue it finds, details your risk exposure, and offers steps to fix it. That sort of help extends to addressing basic weaknesses, such as cross-site scripting and SQL injection. Even more, I liked the depth of help available, such as links to online resources about particular problems.
The Corporate Standards and Brand Monitoring modules were unavailable for testing, but they appear useful. For example, corporate identity managers should be able to determine whether intranet sites have copyright statements and proper link naming. Plus, brand managers can detect trademark and brand infringement across the Internet. Trying to find the latter incidents of cybersquatting and other types of false affiliation would otherwise be difficult.
Watchfire also planned to introduce in August its Intranets Standards module, which identifies sensitive and insecure content inside the firewall -- such as health, HR, and financial data -- to help organizations meet additional compliance regulations. The company will also deliver a Banking Compliance module that maps the system's general content analysis to specific federal consumer protection requirements.
Managers can then track the improvement of issues detected by any of WebXM's modules, marking them as open, fixed, or in progress. Although WebXM's integration with third-party defect-tracking systems is elementary, Watchfire representatives say the company is working to make this stronger.
I'd also like more extensive report export functions. You can convert dashboard results to an Excel file -- and save individual report data as an XML file. But the latter function means writing the transformation code to view the data; Watchfire professional services will perform this step, but that shouldn't be necessary.
Finally, I have some concern about performance. The setup Watchfire provided scanned slowly, requiring 45 minutes to evaluate a 2000-page site. (The company indicated that it's possible to have scan and report agents run on additional application servers to improve speed.)
On balance, however, Watchfire XM 4.0 delivers very good value. Deep Web content scanning and analysis gives content owners new insight into their Web properties and how they can be improved to meet specific compliance requirements. The Security module is especially notable, exposing failings in server configuration and coding that, left unchecked, could permit phishing attacks, ID theft, and site defacements.
Watchfire WebXM 4.0
Cost: Starts at $US3500 per month for hosted service or $US35,000 for software licence
Platforms: Installed application runs on Microsoft Windows Server
Bottom line: WebXM scans large Web sites and generates interactive Web-based reports that detail a range of online risk and compliance issues. Enterprises can select from various modules, including Security, Compliance, and Quality. New security component pinpoints weaknesses that could result in identity theft and related losses. Integrated issue management helps prioritize and track critical changes.