Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly

IBM Adds CSRF Scanning to Watchfire Tool

AppScan Standard Edition 7.7 is designed for QA and IT pros as well as security experts, and tests for cross-site request forgery bugs

IBM today will release a new version of the Watchfire AppScan vulnerability scanning tool that can test for the pervasive cross-site request forgery (CSRF) vulnerability found in many Web applications. (See CSRF Vulnerability: A 'Sleeping Giant'.)

The Rational AppScan Standard Edition 7.7 represents the first new release of the Web app security scanning tool since IBM acquired Watchfire in July. (See IBM to Enter Web App Security.) It's been a big month for IBM in security -- the company rocked the industry last week with an announcement that it will invest a whopping $1.5 billion in security next year (See IBM Launches $1.5B Security Initiative.)

The AppScan vulnerability scanner -- which finds and reports on Web application security vulnerabilities -- is also now aimed at non-security experts as well. "In the past, our audience has been only security experts, but we're seeing application security become a more mainstream issue," says Mike Weider, CTO and director of R&D for Watchfire, an IBM company. "The QA [quality assurance] engineer is not only doing functional testing, but also doing security testing as well."

AppScan comes with several built-in features aimed at making it easier to use for non-security pros, with more user-friendly reporting features, as well as built-in, Web-based app security training and courseware. The new State Inducer feature, for instance, helps testers automatically scan applications that have multi-step processes, such as an online ordering app with shopping cart and checkout features. Security pros previously have had to manually test each of these processes, according to IBM.

CSRF, meanwhile, is considered a sleeping giant of a flaw that could cause big problems for Websites. "Most tools can test for cross-site scripting, but sites that are vulnerable to CSRF, but not XSS, have been difficult to test," Weider says. "CSRF is just as pervasive as cross-site scripting, and it's only a matter of time before it gets more broadly exploited."

Weider predicts that as companies start closing their XSS and SQL injection holes, CSRF will become a more popular attack vector on Websites. And testing and fixing XSS holes doesn't necessarily fix CSRF, he says, although the two often go hand-in-hand.

But some security experts are skeptical about searching for CSRF bugs using tools alone. "I'm very excited to hear that IBM is taking CSRF seriously, but I remain cautiously realistic about AppScan's ability to automatically detect CSRF vulnerabilities," says Chris Shiflett, principal with OmniTI, which provides Web app security services to its clients. "It's difficult, if not impossible, to accurately detect CSRF vulnerabilities without human interpretation."

Next for IBM's AppScan tool is scanning for vulnerabilities in "packaged applications" such as PeopleSoft and SAP, Weider says, and even Z Series-based legacy applications being transformed with Web front-ends, he says. "There are all sorts of new technologies for us to support from a scanning" standpoint, he says.

"We're also seeing a lot of interest in integrating our solutions more tightly with other security solutions," he says. IBM Rational AppScan will be available on November 19, and pricing starts at $14,400.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • IBM Corp. (NYSE: IBM)
  • OmniTI Inc.

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 5/28/2020
    Stay-at-Home Orders Coincide With Massive DNS Surge
    Robert Lemos, Contributing Writer,  5/27/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Can you smell me now?
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-05-29
    There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
    PUBLISHED: 2020-05-29
    A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
    PUBLISHED: 2020-05-29
    All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
    PUBLISHED: 2020-05-29
    All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
    PUBLISHED: 2020-05-29
    All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.