Watchfire Launches New Web Security Tools

With the introduction of its latest package, the software maker contends it has made it easier for application developers and security experts to team up to eliminate vulnerabilities.

Watchfire released an updated version of its Web applications security software on Nov. 6, adding new features that promise increased automation for bug hunting and new tools to improve communication among workers when chasing down problems.

Dubbed AppScan 7.0, the Web site and applications testing package boasts improved software vulnerability scanning capabilities along with a greater variety of automatic security testing procedures and remediation tools.

The updated product specifically aims to help companies more rapidly and effectively address any problems found in their applications testing efforts, company officials said.

Among the specific features added in the 7.0 release is the ability for users to test privilege escalation in their programs, as many forms of malicious software utilize attacks that allow outsiders to expand their rights on a given machine, or set of machines, to increase the impact of their attacks.

The new tools promise to allow program testers to identify vulnerabilities that may allow protected desktop resources available to unauthorized users through such threats.

Another addition in the package is the inclusion of support for two-factor authentication systems in Web applications. Whereas previous iterations of its scanning tools might be thrown off by advanced authentication systems, the new version of AppScan merely pauses until it is given access, then picks up where it left off, according to the firm.

Among the two-factor approaches supported by the product are one-time passwords, USB devices, smartcards and mutual authentication systems.

AppScan 7.0 also includes new functions that the company claims will allow security testers to highlight, explain and differentiate the problems they find to help identify specific issues and keep common problems from falling through the cracks.

Similar problems are often confused for one another, said Watchfire executives, leading companies to believe they have fixed all the security problems in an application when issues actually still exist.

Software developers continue to overlook serious flaws in their work, leaving companies at serious risk for attack, said David Grant, vice president of marketing for Watchfire, based in Waltham, Mass.

The company maintains that as many as 90 percent of all online sites and applications include some sort of security flaw.

Even when problems are discovered, many firms still struggle with the process of creating an effective chain of command for communicating issues among workers, he said.

"Developers dont have the confidence to send their data because of security issues, theyre spending an increasing amount of time doing scrubbing and analysis, and theyre still only fixing smaller portions of their applications, versus getting a bigger picture regarding security," Grant said.

He added that the biggest ongoing challenge is getting developers to communicate with quality assurance workers and security experts.

/zimages/3/28571.gifSPI adds Web application security tools for Java, AJAX. Click here to read more.

"So weve introduced the ability for people to highlight what theyve found and share it with others, prove how they have fixed a problem and get natural language results that can be shared directly with auditors."

In addition to the update of its flagship AppScan product, Watchfire also launched a new reporting console to give customers even greater vision into their security testing work, with a centralized dashboard for viewing results.

Beyond allowing companies to consolidate their vulnerability scanning results from multiple AppScan clients, creating an applications flaw repository, the product gives users the ability to distribute information on any reported issues faster, using a Web-based interface, Grant said.

The AppScan Reporting Console includes an issue management system meant to further help companies track and facilitate remediation efforts, and prioritize remaining security issues.

Watchfire said the console can also integrate with Mercurys Quality Center testing tools and IBMs Rational vulnerability-scanning applications.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.