In my previous blog, I wrote about the challenges executives and developers are encountering while trying to integrate security tools and processes into the software development life cycle. Since then, I have done a bit research to identify and evaluate the market-leading product in the field of web application security scanning and believe I have a result worth sharing.
Overview
With over a third of global market share, Watchfire AppScan from IBM’s Rational family of products has to be considered the leading web application security scanner worldwide. AppsScan offers solutions for all types of security testing – outsourced, desktop-user and enterprise-wide analysis. Users of all kinds benefit from this application, including application developers, quality assurance teams, penetration testers, security auditors and senior management. AppScan’s engine seems to be quite powerful and capable of providing continuous monitoring and audit of web applications, testing for security and compliance issues, and delivery of reports with specific fix recommendations.
Vulnerability Detection
AppScan also seems to credibly provide security vulnerability detection through simulation of hacker attacks as Cross-Site Scripting; HTTP Response Splitting, Parameter Tampering, Hidden Field Manipulation. Backdoors/Debug Options, Stealth Commanding, Forceful Browsing, Application Buffer Overflow, Cookie Poisoning, SQL Injections, Content Spoofing, LDAP Injection, Xpath Injection and Session Fixation. In addition, AppScan maps to the Open Web Application Security Project (OWASP) Top 10 and to the SANS Top 20 vulnerabilities.
Reporting and Remediation
During a test, AppScan highlights the code that has been determined to be the cause of a specific vulnerability. Reasoning testing is provided in natural language to explain the logic of the test and why an issue was identified. Appscan delta analysis report provides you with the changes that have occurred from one scan to the next. The reported information includes what has been fixed and new security issues that have been introduced since the initial scan.
Support for a total of 40 global regulatory compliance and standards reporting is another interesting feature of this product. BASEL II, Electronic Fund and Transfer Act (EFTA), Payment Card Industry (PCI) Data Security Standards are among supported compliance and standards reporting.
Summing Up
AppScan (v7.5) looks like a valid option for helping to ensure the security and compliance of web applications throughout the software development life cycle. It's been designed for the broadest range of users, from business users to advanced power users who can utilize the added tools and API to create a customized scanning environment. In an upcoming blog I will provide more detailed information on the scanning abilities of AppScan as it pertains to building secure web applications – much more to come!
Just want to know if anyone in India provide training on Apscan
Posted by: Parag | August 22, 2008 at 06:54 AM
Identity theft has brought great tensions to the corporate world causing many companieslosses each year. Everyone is scared of their personal information not leaked out tosome strangers. Not only offices but individuals at home should also purchase onefor safety.
Posted by: Industrial Shredders | January 12, 2009 at 05:00 AM
This ThinkPad T40 has been awesome. Had for a decent price. There was a problem with the main board about 4 months down the road and customer service couldn't have been better. I spoke with someone in America, and they overnighted everything. The entire process only took 3 days from placing the service call to getting back and running.
Posted by: Used Refurbished Laptops | April 05, 2009 at 09:36 AM
There are many ways to use the IBM Development and Test Cloud. One great example is cost reduction through consolidation. Companies often have several development and deployment phases including (but not limited to):
Posted by: cheap computers | September 25, 2009 at 04:08 AM
IBM needs to aggressively get out ahead of this topic and alleviate any fear from the install base that Sametime web conferencing is no longer strategic, etc. I would expect that the on-premises version of Unyte is not all that important to IBM (large enterprise) and that there will not be a swap-in / swap-out option but I can see certain components of Unyte ending up in Sametime and a future role for Expeditor for Unyte.
Posted by: used computers | September 29, 2009 at 05:36 AM