Watchfire Updates AppScan 6.5 Application Vulnerability Scanner

Release adds Web services scanning coverage, improved accuracy features, advanced automated capabilities for penetration testers, and PCI data security standards compliance

WALTHAM, MA -- July 17, 2006 -- Watchfire today released updated versions of AppScan® and AppScan® Developer Edition (DE). AppScan 6.5 offers expanded security auditing coverage with integrated Web services scanning, additional regulatory compliance reporting, including new PCI data security standards, and two new ISO reports. AppScan 6.5 also features improved accuracy capabilities to further reduce false positives and new advanced testing features to meet the unique needs of security auditors, consultants, and penetration testers.

The adoption of Web services to perform more critical online transactions has resulted in the urgent need to audit and assess these applications for security vulnerabilities. AppScan 6.5 delivers a Web services Explorer which lets users examine the different methods incorporated in the Web service, manipulate input data, and examine feedback from the service.

This new capability performs Web services application scans to simulate application-to-application interactions, as opposed to user-to-application interactions. This feature provides the widest range of advanced SOAP tests resulting in broad coverage of the scanned application. AppScan 6.5 also supports JavaScript Execution and Parsing and Flash parsing to help ensure all Web application technologies are tested.

Visa and MasterCard require retailers -- banks, merchants and member service providers -- to comply with the Payment Card Industry (PCI) data security standards to help ensure the security and privacy of their members' confidential information. Requirement number six of the PCI requirements states that organizations must develop and maintain secure systems and applications. Failure to comply may result in fines, restrictions, or permanent expulsion from card acceptance programs.

The majority of existing PCI efforts have focused on security at the network level, but many of the latest threats are on the Web application side (SQL injection attacks, cross-site scripting flaws etc.). In response, Visa and MasterCard recently announced they will release new security rules for all organizations that handle credit card data. A key part of the updated PCI requirements is aimed at protecting credit card data from emerging Web application security threats. Other new PCI updates will require companies to ensure that any third parties that they deal with have implemented proper controls for securing credit card data.

To help organizations identify security vulnerabilities that impact PCI compliance, AppScan 6.5 includes automated support for this mandatory data security standard. The addition of PCI and two new ISO standards -- 17799 and 27001 -- makes AppScan the industry's most comprehensive compliance reporting solution with more than 34 out-of-the-box compliance reports.

New Automated Capabilities for Penetration Testers

AppScan 6.5 includes a new set of advanced testing utilities that complement manual testing, offering pen testers more power, automation and efficiency.

The new Token Analyzer provides various tests for Web application session tokens to determine how secure the application is against session theft. Watchfire's new Authentication Tester is a brute-force-like testing utility that detects weak username-password combinations that could be used to gain access to a Web application. These new automated tools complement Watchfire's recent introduction of a tailored program which provides penetration testers and security consultants with customized licensing, technical, marketing, and sales resources.

Improved Reporting Features Further Reduces False Positives

AppScan 6.5 further reduces false positives by letting users select specific tests from which it will extract, zip, and encrypt non-proprietary information for e-mailing. This feature offers a quick and easy way to send Watchfire feedback directly about tests users believe are false positives. Additionally, this capability provides productivity benefits by enabling users to easily share test information for review to application developers or system managers.

Security throughout the SDLC

According to research from Gartner, application security is an essential element in the application development lifecycle. The research firm states that through 2008, application security will become an important evaluation criterion, weighted as high as system functionality. Organizations that integrate security into their software development life cycles will experience an 80 percent decrease in critical vulnerabilities found in their publicly released software or externally facing Web applications. (See Note 1)

Integrating AppScan and AppScan DE into the software development lifecycle will help organizations eliminate security vulnerabilities early, simplify the remediation process, establish better control and visibility, and save time by improving the productivity of the development, audit, and QA teams. AppScan provides integration with testing tools including Mercury Quality Center. AppScan DE seamlessly integrates into the development environment including MS Visual Studio 2005, WebSphere, JBuilder, and Eclipse to catch security issues in development.

AppScan 6.5 extends Watchfire's previous benchmark for Web application testing with improved capabilities that not only identify critical application weaknesses but also provide intelligent fix recommendations, improving the ease and speed by which users are able to understand, prioritize, and remediate critical Web application security issues. AppScan 6.5 also further builds on previous user productivity enhancements with improved reporting accuracy, real time view of scan results, screenshots included in reports and enhanced scanning speed.

For more technical features and details and to download AppScan 6.5 please visit:

About Watchfire

Watchfire provides Online Risk Management software and services to help ensure the security and compliance of Web sites. For more information, please visit

Watchfire, WebXM, AppScan, PowerTools, the Bobby Logo and the Flame Logo are trademarks or registered trademarks of Watchfire Corporation. All other products, company names, and logos are trademarks or registered trademarks of their respective owners.

- - -

Note 1: “Integrate Security Best Practices and Tools Into Software Development Life Cycle,” 10 February 2006; Amrit T. Williams and Neil MacDonald.

Must Read Articles