Watchfire Introduces AppScan 7.0

Bridges gap between security professionals and developers with greater automation precision, control, and visibility to identify, communicate, and remediate Web security vulnerabilities

WALTHAM, MA, November 6, 2006 -- Watchfire today unveiled AppScan® 7.0, a major new product release.

Security teams are under pressure to keep up with the volume of applications they need to test. They often catch issues late in the software development cycle or not at all. This problem is compounded by the fact that development and QA professionals typically have little or no security expertise and do not fully understand how to fix the issues.

AppScan 7.0 was developed to solve these problems. It features more-advanced application-vulnerability scanning and increased testing process automation, in addition to a range of new features to help organizations understand and act upon the Web security vulnerabilities found. It provides unmatched visibility and control for security professionals and penetration testers, and introduces root cause identification and communication features to provide developers with logical instructions on how to not only find and fix issues, but also learn from the process.

AppScan 7.0 highlights include:

Enhanced Automation to Further Improve Productivity

  • Privilege Escalation Testing: AppScan 7.0 automates the manually intensive task of testing an application’s authorization model. The AppScan Privilege Escalation Testing exposes vulnerabilities that make protected resources available to unauthorized users. Before AppScan 7.0, this task could take days to conduct manually. Now it can take minutes. Internal Watchfire studies have shown an 88 percent reduction in effort when AppScan 7.0 is used to test an application’s authentication policy.

  • Two-Factor Authentication Support: AppScan supports the use of complex authentication procedures in Web applications. When AppScan detects that a complex authentication login is required, it will suspend the scan while maintaining the session state, and prompt the user to complete the authentication process. Without this capability, Web application scanners are kicked out of session, resulting in poor application coverage and increased false positives. Supported authentication methods include two-factor authentication, CAPTCHA, stepped authentication, one-time passwords, USB keys, smartcards, and mutual authentication.

New Ability to Action and Communicate Critical Vulnerabilities

  • Validation Highlighting and Reasoning: AppScan 7.0 combines test validation highlighting, reasoning, and difference to demonstrate and explain vulnerabilities. Other scanning solutions hide their testing and reasoning, making it difficult to identify each issue’s root cause. Watchfire has opened AppScan to highlight exactly what issue was detected in which Web site response, why it was detected and how it was detected -- providing immediate and unmatched transparency which enables the user to efficiently understand the root cause of each vulnerability, communicate it to developers, and initiate the remediation process.

  • Identifying the Root Cause of Vulnerabilities: AppScan provides actionable results for developers, with a remediation view that enabled developers to understand the root cause of the problem, not just the symptom. Now, AppScan 7.0 goes even further by providing more automation, control, and visibility for security professionals and penetration testers.

AppScan Reporting Console Facilitates Better Understanding, Management, and Control

Also announced today is Watchfire’s new AppScan Reporting Console, a powerful Web-based management and reporting dashboard that can be used to manage multiple desktop versions of AppScan as a cost-effective means to establish process and manage security across the enterprise.

As a complement to AppScan 7.0, the Reporting Console empowers users with a means to set and manage scan permissions across multiple AppScan desktops, and distribute Web-based vulnerability reports across the enterprise, arming users with metrics and explanations of where vulnerabilities are found and how to fix them. Users are able to consolidate application security scan results and create a central repository of the company’s Web application vulnerabilities in order to establish policy and process for managing remediation. This gives administrators more control over assignment of tasks, the ability to track remediation progress, and generate/distribute a wide variety of customized reports. Users can also leverage the Issue Management features in the Reporting Console to ensure they are tracking vulnerabilities from detection through to remediation.

“Identifying and fixing security issues piecemeal isn't enough. Today's attacks invariably exploit the same core vulnerabilities, because it's difficult for organizations to successfully integrate security capabilities within the software development lifecycle,” said Charles Kolodgy, research director, Security Products at IDC. “To solve this problem, security professionals need more power and control which can be available from sophisticated and automated scanning capabilities. Developers need direction on how to fix security defects in software applications, in tandem with logic behind why vulnerabilities exist. For strong risk mitigation associated with Web application security, organizations should invest in automated solutions that lend more visibility for both auditors and developers to identify, communicate, and remediate these critical issues.”

AppScan 7.0 continues Watchfire’s commitment to make the security professional more successful, with even more automated capabilities, granular control, more open visibility and enhanced user interface functionality for powerful and efficient use. The ability to generate actionable reports provides penetration testers and security professionals with a stronger offering to provide their clients, and by leveraging the new AppScan Reporting Console, security professionals and developers can further leverage new levels of enhanced communication and sharing of information across the organization that were previously only available with Watchfire’s enterprise product.

Watchfire continues to provide complete vulnerability scanning for modern and complex Web sites, with broad Web services scan coverage, extended AJAX support and ability to scan even the largest enterprise Web properties. The industry’s most comprehensive compliance reporting solution, AppScan includes more than 34 out-of-the-box compliance reports, including the latest Payment Card Industry (PCI) 1.1 compliance update.

Pricing and Availability

AppScan 7.0 will be generally available for download on November 20, 2006. Pricing for AppScan 7.0 starts at $14,400. To register to evaluate AppScan 7.0 when it’s available on November 20, please visit https://www.watchfire.com/securearea/appscan.aspx

About Watchfire

Watchfire provides Online Risk Management software and services to help ensure the security and compliance of Web sites. For more information, please visit http://www.watchfire.com.

Watchfire, WebXM, AppScan, PowerTools, the Bobby Logo and the Flame Logo are trademarks or registered trademarks of Watchfire Corporation. All other products, company names, and logos are trademarks or registered trademarks of their respective owners.