IBM today will release a new version of the Watchfire AppScan vulnerability scanning tool that can test for the pervasive cross-site request forgery (CSRF) vulnerability found in many Web applications. (See CSRF Vulnerability: A 'Sleeping Giant'.)
The Rational AppScan Standard Edition 7.7 represents the first new release of the Web app security scanning tool since IBM acquired Watchfire in July. (See IBM to Enter Web App Security.) It's been a big month for IBM in security -- the company rocked the industry last week with an announcement that it will invest a whopping $1.5 billion in security next year (See IBM Launches $1.5B Security Initiative.)
The AppScan vulnerability scanner -- which finds and reports on Web application security vulnerabilities -- is also now aimed at non-security experts as well. "In the past, our audience has been only security experts, but we're seeing application security become a more mainstream issue," says Mike Weider, CTO and director of R&D for Watchfire, an IBM company. "The QA [quality assurance] engineer is not only doing functional testing, but also doing security testing as well."
AppScan comes with several built-in features aimed at making it easier to use for non-security pros, with more user-friendly reporting features, as well as built-in, Web-based app security training and courseware. The new State Inducer feature, for instance, helps testers automatically scan applications that have multi-step processes, such as an online ordering app with shopping cart and checkout features. Security pros previously have had to manually test each of these processes, according to IBM.
CSRF, meanwhile, is considered a sleeping giant of a flaw that could cause big problems for Websites. "Most tools can test for cross-site scripting, but sites that are vulnerable to CSRF, but not XSS, have been difficult to test," Weider says. "CSRF is just as pervasive as cross-site scripting, and it's only a matter of time before it gets more broadly exploited."
Weider predicts that as companies start closing their XSS and SQL injection holes, CSRF will become a more popular attack vector on Websites. And testing and fixing XSS holes doesn't necessarily fix CSRF, he says, although the two often go hand-in-hand.
But some security experts are skeptical about searching for CSRF bugs using tools alone. "I'm very excited to hear that IBM is taking CSRF seriously, but I remain cautiously realistic about AppScan's ability to automatically detect CSRF vulnerabilities," says Chris Shiflett, principal with OmniTI, which provides Web app security services to its clients. "It's difficult, if not impossible, to accurately detect CSRF vulnerabilities without human interpretation."
Next for IBM's AppScan tool is scanning for vulnerabilities in "packaged applications" such as PeopleSoft and SAP, Weider says, and even Z Series-based legacy applications being transformed with Web front-ends, he says. "There are all sorts of new technologies for us to support from a scanning" standpoint, he says.
"We're also seeing a lot of interest in integrating our solutions more tightly with other security solutions," he says. IBM Rational AppScan will be available on November 19, and pricing starts at $14,400.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.