RSS
Email
Print
ShareRolling Review: WatchFire AppScan
Posted by Jordan Wiens on October 5, 2007
|
The Upshot
 Web application scanners in this Rolling Review must not only find traditional vulnerabilities, like XSS and SQL injection flaws, but also handle Ajax applications, in which part of the app is running locally in the browser.  Complex Ajax apps represent a new and, we found out, highly challenging twist for these products, but we don't recommend purchasing a scanner that isn't able to handle Web 2.0 environments, given that so much future development is moving in that direction. And, Web application scanners should be just one element in a comprehensive, layered program—educating developers and integrating security reviews into the development lifecycle are just as crucial.  IBM's AppScan sets the standard for features, usability and reliability. While not quite perfect, AppScan is the pacesetter for the rest of the pack and is the first product evaluated to successfully traverse our Ajax applications. WatchFire AppScan |
Not only is AppScan the most mature Web application vulnerability scanner on the market, developed in 2000 as a companion to Sanctum's AppShield Web application firewall, it's now owned by one of the most well-known names in computing, IBM, as a result of Big Blue's July acquisition of WatchFire. In the context of this Rolling Review, we weren't sure AppScan's experience would be enough: The Ajax applications we've been feeding our scanners have proved troublesome, even for long-established products. Fortunately for IBM, AppScan looks like a sound investment. It impressed us with its ease of use, advanced functionality and reliability and was the most successful so far at traversing our Ajax applications.
That's not to say we didn't have some tense moments. When we first began scanning one of our sample Ajax apps, it appeared we were going to repeat our experience with previous products. AppScan was unable to automatically parse the JavaScript and enumerate the entire application. When WatchFire investigated, however, it told us it had no trouble with the application. What gives?
|
| This article is part of NWC's Rolling Review of Web Applications Scanners. Click on that link to go to the Rolling Reviews home page to read all the features and reviews now. |
The problem was eventually traced to a rogue Microsoft XML library on our scanner machine that was not properly registering. Until the exact cause of the incompatibility was tracked down—multiple clean system builds exhibited the same behavior in our lab—WatchFire added a temporary fix to the AppScan installer to ensure that the library would function properly. Current customers who've been relying solely on the AppScan Update tool to get updates and that need JavaScript testing functionality should be on the lookout for this bug.
Once that issue was resolved, AppScan performed as promised, becoming the first Web application scanner tested to properly identify Ajax functionality and navigate those sections of the app other scanners failed to automatically crawl. Cenzic Hailstorm came close—it was able to discover the sites in a manual mode, meaning we had to click through the entire application by hand. OK for a few small test apps, not so much in a production environment.
While each product in this Rolling Review has strengths and weaknesses, AppScan encapsulated the best features with few of the faults. For example, it's cleanly designed, and we easily jumped in and began using the interface, much we did with Hewlett-Packard's WebInspect but without that scanner's unfortunate reliability questions. If you think you're detecting a buying spree, you're right: When we reviewed WebInspect, it was owned by SPI Dynamics. HP was hot on IBM's tail, finishing its acquisition of the WatchFire competitor just a few weeks later.
Add Your Comment: