Sanctum Puts Web Apps to Tougher Tests

By Jim Rapoza  |  Posted 2003-10-27 Print this article Print

AppScan upgrade ably tests code and tracks changes, but it runs only on Windows.

While Sanctum Inc.s AppScan has been an excellent aid for Web application developers looking for security holes in their projects, much of its focus has been on helping developers as they build applications. With AppScan 4.0 QA Edition, Sanctum adds key tools to help testers and those whose job it is to track changes and secure ongoing Web application projects.

eWEEK Labs tests showed AppScan 4.0 QA Edition, which shipped last month, to be a worthwhile investment for any company that builds and—especially—modifies complex Web applications.

We were also impressed with the speed with which AppScan 4.0 was able to scan fairly large Web applications. In one case, while running on a modest Pentium 3 system with Windows XP, it scanned a large portal application in less than 10 minutes.

AppScan 4.0 QA Edition is priced competitively for a product of this type, at $15,000 for a yearly subscription, which covers the applications that need to be scanned. The product runs on Windows 2000 and Windows XP.

As it has done since it first came out, AppScan works by crawling through entire Web applications and attempting a number of common security attack exploits. Version 4.0 gains the ability to scan for problems in XML-based Web services.

AppScan 4.0
QA EditionSanctums updated AppScan is a good tool for discovering and avoiding common and possibly disastrous security flaws in applications. AppScan quickly and effectively scans large applications and generates reports that are understandable as well as track changes over time. AppScan 4.0 is priced at $15,000, and more information is available at

  • PRO: Can compare and test changes in applications; interactive and comprehensive report options; excellent scanning speed.

  • CON: Testers cant write custom test scripts; runs only on Windows systems.
    Kavado Inc.s ScanDo3 SPI Dynamics Inc.s WebInspect

    Once AppScan completes a scan of a Web application, it generates a report thats easy to read and share; the report details problems found and offers suggested fixes and workarounds.

    One of the most important new features in AppScan 4.0 QA Edition is the ability to generate a delta analysis report by comparing two scan sessions. Using this feature, we could clearly see the effects that changes in an application had on its security, with all deltas and new problems shown in the report.

    Another new feature is the inclusion of high-level results analysis sections in the reports generated by AppScan. We found this to be especially useful when running an initial scan on a large application, as this can often generate large and potentially confusing reports.

    With the results analysis, we were able to get a high-level understanding of the depth of security problems in test applications. We also liked the new interactive results window, which let us dig through our application and view all the related links and information based on the AppScan tests.

    When creating a test for a Web application, AppScan 4.0 provides several options. We could choose to do a simple vulnerability scan, use AppScans default and fairly exhaustive automatic scan or perform various recorded or interactive crawls through a site to test specific functionalities. Although these options will probably be enough for most Web developers, we would like additional choices such as the ability to write tests completely in script.

    Other new features in AppScan 4.0 QA Edition are a command-line interface and an API, both of which make it possible to integrate AppScan with larger quality assurance and testing infrastructures.

    Labs Director Jim Rapoza can be reached at jim_rapoza@

    Jim Rapoza, Chief Technology Analyst, eWEEK.For nearly fifteen years, Jim Rapoza has evaluated products and technologies in almost every technology category for eWEEK. Mr Rapoza's current technology focus is on all categories of emerging information technology though he continues to focus on core technology areas that include: content management systems, portal applications, Web publishing tools and security. Mr. Rapoza has coordinated several evaluations at enterprise organizations, including USA Today and The Prudential, to measure the capability of products and services under real-world conditions and against real-world criteria. Jim Rapoza's award-winning weekly column, Tech Directions, delves into all areas of technologies and the challenges of managing and deploying technology today.

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel