Network Computingwww.networkcomputing.com

Rolling Review: WatchFire AppScan

Posted by
October 05, 2007

Tags: Ajax Rolling Review, IBM AppScan, Jordan Wiens, Python, Web application scanner, data privacy, secure development practices, Application Security, Client/Server Protection, Data Protection, Other, Security and Privacy, WatchFire AppScan, Web Services Security

Channel: Other, Data Protection

The Upshot Web application scanners in this Rolling Review must not only find traditional vulnerabilities, like XSS and SQL injection flaws, but also handle Ajax applications, in which part of the app is running locally in the browser. Complex Ajax apps represent a new and, we found out, highly challenging twist for these products, but we don't recommend purchasing a scanner that isn't able to handle Web 2.0 environments, given that so much future development is moving in that direction. And, Web application scanners should be just one element in a comprehensive, layered program—educating developers and integrating security reviews into the development lifecycle are just as crucial. IBM's AppScan sets the standard for features, usability and reliability. While not quite perfect, AppScan is the pacesetter for the rest of the pack and is the first product evaluated to successfully traverse our Ajax applications. WatchFire AppScan

Not only is AppScan the most mature Web application vulnerability scanner on the market, developed in 2000 as a companion to Sanctum's AppShield Web application firewall, it's now owned by one of the most well-known names in computing, IBM, as a result of Big Blue's July acquisition of WatchFire. In the context of this Rolling Review, we weren't sure AppScan's experience would be enough: The Ajax applications we've been feeding our scanners have proved troublesome, even for long-established products. Fortunately for IBM, AppScan looks like a sound investment. It impressed us with its ease of use, advanced functionality and reliability and was the most successful so far at traversing our Ajax applications.

That's not to say we didn't have some tense moments. When we first began scanning one of our sample Ajax apps, it appeared we were going to repeat our experience with previous products. AppScan was unable to automatically parse the JavaScript and enumerate the entire application. When WatchFire investigated, however, it told us it had no trouble with the application. What gives?

This article is part of NWC's Rolling Review of Web Applications Scanners. Click on that link to go to the Rolling Reviews home page to read all the features and reviews now.

The problem was eventually traced to a rogue Microsoft XML library on our scanner machine that was not properly registering. Until the exact cause of the incompatibility was tracked down—multiple clean system builds exhibited the same behavior in our lab—WatchFire added a temporary fix to the AppScan installer to ensure that the library would function properly. Current customers who've been relying solely on the AppScan Update tool to get updates and that need JavaScript testing functionality should be on the lookout for this bug.

Related Reading

More data-protection Insights