By Jim Rapoza  |  Posted 2004-12-13 Print this article Print

Watchfire Corp. has clearly taken the safe but smart position for its first release of the AppScan products it gained from its acquisition of Sanctum Inc., making no major changes to the award-winning product for testing the security of Web applications.

Thats not to say there arent worthwhile new features in AppScan Audit 5.0, which gains improved scanning and attack simulation features that will help developers find potential security holes and mistakes in their Web applications.

Other new features in AppScan Audit 5.0 make it easier to interactively record actions to use in testing while browsing through Web applications and more detailed and varied reporting options.

eWEEK Labs believes that companies should consider upgrading to AppScan Audit 5.0, which shipped last month, mainly because of its improved attack simulation and testing capabilities.

As in most previous versions, AppScan Audit 5.0 runs only on Windows systems, although it can test Web applications running on any platform. Pricing for AppScan Audit 5.0 starts at $15,000 for a yearly subscription.

Users of the previous version of AppScan will feel right at home after launching Version 5.0, with no obvious differences in the interface other than the Watchfire logos. However, users of the three custom scan options will see several new features.

One of the more welcome new features made it possible to interactively fill out form information in our applications, then have AppScan Audit 5.0 map it to our test scripts and save the information for future tests. While this seems like a simple option, it proved to be a big timesaver, especially in larger Web applications.

As with previous versions, we would still welcome the ability to create and edit test scripts directly from a source code editor.

Once a scan of a Web application begins, AppScan Audit 5.0 can be much more aggressive than previous versions in simulating attacks and ferreting out potential security problems in the application. The tool can now learn from initial scans of an application and can find new links and portions of the application to test for security problems. It can also simulate attacks that require multiple steps, such as SQL injection, and can listen as a server for attacks that send information from the Web application.

However, while these new attack methods improve the products testing capabilities, they also mean that users will need to put in a significant amount of time upfront to tune the testing parameters. This tuning time is necessary in order to cut the number of false positives and eliminate unnecessary tests that search for problems that cant affect specific Web applications.

Click here to read eWEEK Labs review of three Web application testing suites. A new custom filtering feature did give us more power to limit false positives in application-specific security tests. Using this feature, we could define to AppScan what our application error pages looked like and could make sure that when AppScan encountered them, it would not list the result as a vulnerability.

The always-good reporting options in AppScan have seen some small but welcome improvements, including the ability to perform more detailed trend analysis testing over time and even test the same application on different hosts (which is useful for testing staging versus live servers).

AppScan Audit 5.0 includes canned reports to show if an application is conforming to a number of regulatory standards, including the Health Insurance Portability and Accountability Act and the Federal Information Security Management Act.

Labs Director Jim Rapoza can be reached at jim_rapoza@ziffdavis.com.

Check out eWEEK.coms for the latest news, reviews and analysis in programming environments and developer tools.

Jim Rapoza, Chief Technology Analyst, eWEEK.For nearly fifteen years, Jim Rapoza has evaluated products and technologies in almost every technology category for eWEEK. Mr RapozaÔÇÖs current technology focus is on all categories of emerging information technology though he continues to focus on core technology areas that include: content management systems, portal applications, Web publishing tools and security. Mr. Rapoza has coordinated several evaluations at enterprise organizations, including USA Today and The Prudential, to measure the capability of products and services under real-world conditions and against real-world criteria. Jim Rapoza's award-winning weekly column, Tech Directions, delves into all areas of technologies and the challenges of managing and deploying technology today.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel