Sanctum Puts Web Apps to Tougher Tests

AppScan upgrade ably tests code and tracks changes, but it runs only on Windows.

While Sanctum Inc.s AppScan has been an excellent aid for Web application developers looking for security holes in their projects, much of its focus has been on helping developers as they build applications. With AppScan 4.0 QA Edition, Sanctum adds key tools to help testers and those whose job it is to track changes and secure ongoing Web application projects.

eWEEK Labs tests showed AppScan 4.0 QA Edition, which shipped last month, to be a worthwhile investment for any company that builds and—especially—modifies complex Web applications.

We were also impressed with the speed with which AppScan 4.0 was able to scan fairly large Web applications. In one case, while running on a modest Pentium 3 system with Windows XP, it scanned a large portal application in less than 10 minutes.

AppScan 4.0 QA Edition is priced competitively for a product of this type, at $15,000 for a yearly subscription, which covers the applications that need to be scanned. The product runs on Windows 2000 and Windows XP.

As it has done since it first came out, AppScan works by crawling through entire Web applications and attempting a number of common security attack exploits. Version 4.0 gains the ability to scan for problems in XML-based Web services.

AppScan 4.0

QA EditionSanctums updated AppScan is a good tool for discovering and avoiding common and possibly disastrous security flaws in applications. AppScan quickly and effectively scans large applications and generates reports that are understandable as well as track changes over time. AppScan 4.0 is priced at $15,000, and more information is available at
















  • PRO: Can compare and test changes in applications; interactive and comprehensive report options; excellent scanning speed.
  • CON: Testers cant write custom test scripts; runs only on Windows systems.

• Kavado Inc.s ScanDo3 • SPI Dynamics Inc.s WebInspect

Once AppScan completes a scan of a Web application, it generates a report thats easy to read and share; the report details problems found and offers suggested fixes and workarounds.

One of the most important new features in AppScan 4.0 QA Edition is the ability to generate a delta analysis report by comparing two scan sessions. Using this feature, we could clearly see the effects that changes in an application had on its security, with all deltas and new problems shown in the report.

Another new feature is the inclusion of high-level results analysis sections in the reports generated by AppScan. We found this to be especially useful when running an initial scan on a large application, as this can often generate large and potentially confusing reports.

With the results analysis, we were able to get a high-level understanding of the depth of security problems in test applications. We also liked the new interactive results window, which let us dig through our application and view all the related links and information based on the AppScan tests.

When creating a test for a Web application, AppScan 4.0 provides several options. We could choose to do a simple vulnerability scan, use AppScans default and fairly exhaustive automatic scan or perform various recorded or interactive crawls through a site to test specific functionalities. Although these options will probably be enough for most Web developers, we would like additional choices such as the ability to write tests completely in script.

Other new features in AppScan 4.0 QA Edition are a command-line interface and an API, both of which make it possible to integrate AppScan with larger quality assurance and testing infrastructures.

Labs Director Jim Rapoza can be reached at jim_rapoza@