IBM Upgrades Watchfire Web App Scanning Tool

New IBM security scanning software protects businesses from hackers

Dark Reading Staff, Dark Reading

November 13, 2007

3 Min Read

ARMONK, N.Y. -- IBM (NYSE: IBM) today introduced new software to help customers protect their business from today's most advanced and complex web application security attacks. The first release of IBM Rational AppScan, a market leading web application security technology acquired by IBM from Watchfire in July 2007, is a key-part of IBM's software portfolio that helps ensures high quality applications are delivered to the marketplace.

Web applications are high value targets for hackers, yet many organizations have a difficult time tackling security due, in part, to a lack of application security knowledge and the size and complexity of today's websites that incorporate the latest in Web 2.0 technology. Businesses need automated solutions capable of identifying and protecting applications from these weaknesses. IBM Rational AppScan identifies, validates and reports on application security vulnerabilities and with this new version, introduces new features and reporting methods for security auditors while enabling a broader pool of IT roles to participate in and drive critical web application security testing.

Traditionally, testers, developers, and IT professionals have lacked the specific security knowledge needed to effectively run scans. New capabilities in IBM Rational AppScan, such as Scan Expert and State Inducer, broaden the availability of this critical function so IT personnel, software developers and testers are capable of running successful scans while at the same time also add new features to assist security professionals.

  • Scan Expert packages the best practices of an expert such as automatically profiling an application and providing the best test configuration for a successful scan. This enables more successful scanning for users with little IBM Rational AppScan or web application security experience, while improving efficiency for more knowledgeable security experts.

  • Furthering its leadership in support of complex Web 2.0 technologies that includes support for Ajax and Flash, the new State Inducer feature introduces accurate assessment of multi-step processes within applications. These include adding to a shopping cart and checking out, filling multiple forms while applying for a loan, or booking an airline reservation. Until now, users would have to manually test each of these areas of the application. With State Inducer, IBM Rational AppScan can learn these sequences, ensuring they are accurately assessed for security issues, further automating, saving time and simplifying the testing process.

  • Cross site request forgery is a malicious Web site exploit in which an attacker can fake a request to a site gaining access to sensitive information. IBM Rational AppScan identifies areas in a Web site where businesses would be susceptible to cross-site forgery requests.

IBM Rational AppScan now includes educational material to help users build more secure applications. The product adds recorded web-based training (WBT) advisories that incorporate the industry's first application security training directly into the solution. WBT is an ideal way to educate non-security professionals on application security fundamentals and product best practices. With the rapid emergence of new compliance legislation, IBM Rational AppScan helps organizations comply with dozens of industry standards and has been updated to include a leading 44 out-of-the-box compliance reports including the Family Education Rights and Privacy Act (FERPA), and payment application best practices (PABP) as suggested by the credit card industry.

"With IBM Rational AppScan, Standard Chartered Bank is educating its developers and IT staff on the importance of web application security incorporated throughout the development lifecycle," said John Meakin, group head of information security, Standard Chartered Bank. "IBM Rational AppScan lets us establish best practice in our coding and testing processes, thereby ensuring the security and compliance of our web applications. This is reducing costs, enhancing the security of our products, and improving our security testing productivity."


About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights