In-Depth

Scan for Security Issues While Building Apps

With the risks in today’s world, one company is taking the “fear” out of Web services with improved app scanning software that puts the developer in the driver’s seat.

• By Jason Turcotte
• 07/19/2006

The old adage, “there’s nothing to fear but fear itself” is seldom accurate in the IT industry. Obviously, Franklin D. Roosevelt never had to secure a Web site in his lifetime. With the risks in today’s world, one company is taking the “fear” out of Web services with improved app scanning software that puts the developer in the driver’s seat.

This week Waltham, Mass.-based Watchfire released new versions of its Web app vulnerability assessment software AppScan and AppScan Developer Edition (DE). Version 6.5 increases security with integrated Web services scanning, increased regulatory compliance reporting, new PCI Data Security Standards (for collecting Visa and MasterCard information), two new ISO reports, advanced testing functions and improved accuracy.

“It lets the developer scan for security of their apps as they’re building it,” said David Grant, VP of marketing, Watchfire. “They’re finding out it’s cheaper to do it earlier in the process rather than in QA time or production time.”

Grant says catching security flaws earlier in the dev lifecycle will save catastrophes later on. He cites last year’s CardSystems Solutions (a payment processor) security breach that swiped more than 200,000 credit card numbers and exposed 40 million others. The fiasco cost the company its reputation. But Grant says this type of incident could have been prevented if testing took place before or during production.

“Application security has only become mainstream a year or so ago,” says Grant. “We felt it was time to start testing Web services for vulnerabilities like we do for application vulnerability.”

This year, Grant says susceptibilities within Web services at public universities are more commonplace. Recent university breaches have included security attacks on alumni Web pages that collect funds and donations. And hackers are finding craftier ways to access information-sensitive databases.

“Well-publicized online security breaches and heightened concerns over regulatory compliance demonstrate the ongoing need for Web vulnerability scanning,” says Michael Weider, CTO for Watchfire. “Regular vulnerability scanning of Web applications is vital to catch issues earlier in the development lifecycle and to monitor to protect against new threats after application deployment.”

AppScan’s Web services scan operates through simulated app-to-app interactions, rather than user-to-app interactions. The function provides a Web Services Explorer that displays various methods, manipulates input data and reviews feedback from the feature. It provides expanded SOAP tests, broadening the scan’s coverage area. The latest version also supports JavaScript Execution, Parsing and Flash parsing during the testing cycle.

Other features include a new Token Analyzer that tests security for Web apps against session theft, detecting vulnerable usernames and passwords. Version 6.5 also offers enhanced reporting, equipped with real-time review of results, screenshots and increased scanning speed.

Watchfire clients include those in the financial and government service sectors. And as more companies deploy Web services, those who opt to integrate AppScan with AppScan Developer can help eliminate security woes early on by providing developers with more visibility and time-savings. AppScan DE integrates into dev environments MS Visual Studio 2005, WebSphere, JBuilder and Eclipse. AppScan and AppScan DE 6.5 are available now.

Gartner analysts say app security is becoming a crucial part of the dev lifecycle. The group estimates orgs that integrate security into their lifecycles will reap the benefits of an 80 percent drop in vulnerabilities in both their software and Web apps. And according to Utimaco Safeware, 2005 yielded more than 100 major data security breaches within U.S. businesses, victimizing an estimated 56 million people. Perhaps there is more to fear than fear itself.