Watchfire Takes Control of AppScan Security Software

Watchfire Corp. last month released version 5.0 of the AppScan application security software it acquired from Sanctum Inc. in July, with new features that make the vulnerability assessments more sophisticated, the company says.

“Hackers are more advanced, so more intelligence is required behind the tests,” said Steve Orrin, former CTO at Sanctum who now is vice president of security and technology at Watchfire. “It’s like an arms race. There’s always a gap” between what hackers are doing and what companies are doing to defend against those actions, but Orrin claimed that Watchfire, compared with other application security vendors, “is a little bit ahead of the game.” Orrin estimated there is a lag of six to 12 months between what hackers are doing and when those actions become commonly known in the industry.

AppScan’s test engine has been enhanced to do multiphase scanning of applications, according to director of product marketing David Grant, so that if any tests reveal new links within an application that weren’t explored, AppScan will create tests for those new parts of the application. AppScan now also can do multistage tests that need multiple requests and responses to execute, Grant added.

Also new to AppScan is a port listener that recognizes new kinds of HTTP attacks by detecting out-of-band responses, Orrin explained, saying that the software sits as a proxy server, listening to a specified port for HTTP requests and ensuring the responses also are HTTP.

Among the new vulnerabilities Watchfire has identified is HTTP response splitting, which is an attack that splits a single response into two and allows the hacker to disrupt the order of the Web application. “You can poison the Web cache, or have your server run my Web page,” Orrin said. “You can do a lot of logic subversion.”

But knowledge of a vulnerability is not always a guarantee that it will be fixed, Orrin cautioned. “It’s been 10 years since cross-site scripting was discovered, and it’s still a problem today. But we’re seeing development managers getting it by starting to apply the right policies” in the application process, he said.

To cut down on these types of vulnerabilities, Orrin said vendors must start to bring these tools to developers. “Microsoft’s not out there promoting these solutions,” he said, noting that the drivers have been regulatory compliance and the inclusion of QA teams in compliance, an area in which auditors worked alone. Orrin said 15 different compliance reporting templates are now included in AppScan 5.0, which comes in developer, QA and auditor editions. Pricing was not available.

Grant said that an update to AppShield, the company’s firewall, is in development and should be out late this year or early next, and a port to Linux also is in the works. Grant explained that before the Sanctum acquisition, Watchfire could offer analysis of a production site and create dashboards, but now can offer visibility and testing throughout the Web development life cycle.