AppScan 6.0 is the second official release of the product since Watchfire acquired the technology when it bought Sanctum. The previous release was mainly a rebranding, and AppScan 6.0 is the first version of the product on which Watchfire has truly put its stamp.
Click here to read the full review of Watchfires AppScan 6.0.
2
AppScan 6.0 is the second official release of the product since Watchfire acquired the technology when it bought Sanctum. The previous release was mainly a rebranding, and AppScan 6.0 is the first version of the product on which Watchfire has truly put its stamp.
Longtime users of AppScan will immediately notice many differences when they fire up Version 6.0, especially in the completely revamped user interface. In general, we liked the new look of AppScan. It was much cleaner and more intuitive than earlier versions, and we found that it eased the task of tracking an application scan while the scan was in progress.
To start a scan, we launched a wizard that prompted us to choose a template. Rather than providing an upfront comprehensive advanced option as WebInspect does, each individual screen in the wizard has an “advanced” button. This model works well when you need to customize only one specific scan parameter, but it could lead to unnecessary clicks when multiple customizations are required.
Of course, all this extra clicking will be an issue mainly when initially testing an application or when doing an ad hoc test because AppScan, like most penetration-testing tools, makes it possible to save testing parameters as templates. These templates could then be loaded any time the same or a similar test was required.
Once a scan was complete, AppScans new interface really stood out, greatly easing the task of tracking problems, removing false positives and, most important, determining what steps would be necessary to fix problems.
The new interface has essentially three major views: Issues, Remediation and Application Data.
The Issues view is the closest to the classic test-results view, showing a hierarchical view of the application pages and a list of discovered issues (color-coded with red and yellow symbols to indicate severity). When we clicked on an issue, we could view the typical threat and advisory information, a basic fix recommendation, and code and comment information for request and response issues.
The Remediation view provided an almost project management approach to fixing problems. We could view fix recommendations for the entire application or for specific folders or files—a useful feature for farming out fixes to specific developers. We could also customize the priority settings for the fixes based on our setup and requirements.
The Application Data view is essentially what it says: We could click on any area of the application and view the underlying code. More usefully, we could edit the request and response and send a test, which is useful for testing basic fixes.
The Reporting interface has been likewise streamlined to ease creation. The product includes the standard canned QA and executive reports, as well as a remediation report that lists all the fix recommendations.
AppScan also has been updated to address most common compliance and Web standards, including those from the Open Web Application Security Project.
Next page: Evaluation Shortlist: Related Products.
Page 3
Cenzics Hailstorm This eWEEK Labs Analysts Choice winner has exceptional automated testing capabilities (www.cenzic.com)
SPI Dynamics WebInspect Provides customization features that are well-suited for developers but still friendly enough for novices (www.spidynamics.com)
Watchfires AppScan The latest version greatly improves usability and fix recommendations (www.watchfire.com)
Labs Director Jim Rapoza can be reached at jim_rapoza@ziffdavis.com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.