Watchfire Announces New Version of AppScan'TM'.WALTHAM, Mass. -- Enhanced Scanning Engine Targets New Web Application Security Vulnerabilities by Simulating Hackers Actions; Adds FISMA FISMA Federal Information Security Management Act of 2002 FISMA Federal Information System Management Act and VISA CISP CISP Cardholder Information Security Program (Visa) CISP Comitato Internazionale per lo Sviluppo dei Popoli CISP Certified IRA Services Professional (American Bankers Association) to Growing List of Compliance Reporting Capabilities Watchfire, the leading provider of software and services to manage online business, today announced new releases of AppScan(TM) Audit, QA, and Developer Editions. AppScan automates Web application security testing Security Testing: (The) Process to determine that an IS (Information System) protects data and maintains functionality as intended. The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, authorisation, for rapid development of secure Web applications, enables security assurance testing before application deployment and continuously monitors integrity in the live environment by thoroughly auditing Web applications running in production. AppScan 5.0 is the first major release by Watchfire since acquiring AppScan from Sanctum, and represents the next major step in the long-term strategic roadmap defined for AppScan. Watchfire has significantly enhanced the patented scanning engine, providing customers with additional intelligent scanning capabilities to identify more security vulnerabilities. The company has also added more regulatory compliance reports to offer the most comprehensive compliance reporting in the industry. Many organizations have a difficult time tackling Web application security issues due, in part, to the range of Web applications and the size and complexity of today's websites. The risk continues to increase with the rapid emergence of new compliance legislation and the explosion of online threats such as identity theft and "phishing." Of particular urgency are the regulatory compliance deadlines of both VISA CISP and the Federal Information Security Management Act (FISMA). VISA CISP compliance is required for all retail entities storing, processing, or transmitting VISA cardholder card·hold·er n. One who holds a card, especially a credit card. card  hold data. FISMA requires US federal agencies and any organization that works with federal information systems to ensure comprehensive risk assessments and detailed compliance reporting. AppScan now reports on 15 global compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). . "Today, some of the most pressing issues for enterprises concern compliance with an ever increasing number of government regulations and the inherent security vulnerabilities in both infrastructure and web applications," said Charles Kolodgy, research director for Security Products at IDC. "This environment is prompting organizations to pay closer attention to their online security practices. Web application security is a critical component of an effective online business operation. Enterprises need to make the investment in solutions that can automate the process of identifying and mitigating web applications vulnerabilities and weaknesses. Additionally the automation tools should include compliance auditing for full web application assurance." Some of the most damaging targeted mass Internet attacks have focused on vulnerabilities in Web applications. Organizations need automated solutions to identify and protect them from these weaknesses. With this release, Watchfire has redefined how security-scanning engines identify vulnerabilities. The AppScan 5.0 patented scanning engine now detects even more security vulnerabilities by simulating hackers' actions and capabilities. By dynamically creating tests that simulate this behavior, AppScan brings security assurance to new levels of confidence. AppScan continues to be the industry's most comprehensive compliance reporting solution, was judged the Test and Performance category winner in a recent SD Times' competitive evaluation, and is the most widely deployed solution of its kind. "As the first major release by Watchfire, AppScan 5.0 raises the bar for Web application security testing by helping enterprises comply with a number of key regulatory compliance guidelines, and helps build security testing into the web application development lifecycle," said Steve Orrin, vice president, security and technology, Watchfire. "The next-generation scanning engine features more intelligent scanning capabilities which allow organizations to find more critical vulnerabilities. By creating 'hacker resistant' business logic in the development environment, testing for quality in the staging environment, and enforcing security and compliance through internal and external audits, AppScan generates real confidence in the live production environment." "The applications on our site perform critical functions ranging from grade verification to online registration and tuition payment. These applications must be confidential, reliable and secure for our users," said Ariel Silverstone, CISO See CSO. of Temple University. "AppScan is instrumental in helping us verify the security and regulatory compliance of our site by automatically identifying web application defects and vulnerabilities that could expose both the University and our community to online risk. We are looking to the new AppScan 5.0 scanning engine and enhanced compliance reporting features to identify even more web application security vulnerabilities, helping to further improve our resource allocation resource allocation Managed care The constellation of activities and decisions which form the basis for prioritizing health care needs , assure compliance and reduce risk." What's new in AppScan 5.0? Comprehensive Regulatory Compliance Reports With this release, AppScan reports on 15 global compliance requirements including the Privacy Act of 1974, VISA CISP, the Federal Information Security Management Act (FISMA), Personal Information Protection and Electronic Documents Act The Personal Information Protection and Electronic Documents Act (abbreviated PIPEDA or PIPED Act) is a Canadian law relating to data privacy. It governs how private-sector organizations collect, use and disclose personal information in the course of commercial (PIPEDA PIPEDA Personal Information Protection and Electronic Documents Act (Canada) ), California SB 1386, Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ), Gramm-Leach Bliley Act (GLBA GLBA Gramm-Leach-Bliley Act of 1999 (Financial Modernization Act of 1999) GLBA Gay and Lesbian Business Association GLBA Great Lakes Booksellers Association GLBA Glacier Bay National Park and Preserve ), European Union European Union (EU), name given since the ratification (Nov., 1993) of the Treaty of European Union, or Maastricht Treaty, to the European Community Data Protection Directive and Sarbanes-Oxley (SOX.) AppScan 5.0 also includes a mapping to Open Web Application Security Project's (OWASP (Open Web Application Security Project) An organization founded by Mark Curphey in 2001 to help make open source software secure. With member communities around the world, OWASP projects are involved with specific programming languages, functions and ) top 10 critical web application vulnerabilities. Advanced Trend Analysis Report-Generates trend analysis report based on two or more completed scans by comparing the number, type, severity, test category, and source of the vulnerabilities. For further usability and flexibility, the new trend analysis report allows trending of security scans from different staging and development environments. Next Generation Scanning Multi-Phase Scanner - AppScan now extracts new links from test responses (Robots.txt, Directory Listing) and re-crawls them, creating and submitting new tests for new links. This provides the ability to control whether AppScan will continue crawling the new links, expanding AppScan's coverage when testing a Web application. Port Listener - Allows for more accurate testing and validation of tests such as SQL Injection SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not by detecting out of band responses. Because several tests will not return any indication of vulnerability over HTTP HTTP in full HyperText Transfer Protocol Standard application-level protocol used for exchanging files on the World Wide Web. HTTP runs on top of the TCP/IP protocol. , AppScan will act as a server, listening on a specified port, and waiting for a specific message or data to return from the tested Web application. With this feature, AppScan 5.0 can find the highest number of web application security vulnerabilities. Multi-Stage Tests - AppScan now enables the performance of complex tests that require multiple requests and responses to execute. (e.g. Blind SQL Injection) For example, AppScan will retrieve the contents of WS FTP WS_FTP is a line of file transfer protocol client software produced by Ipswitch, Inc. for the Windows operating systems. WS_FTP stands for WinSock File Transfer Protocol. .log files, parse them, discover if script backup files exist in the virtual root directory, and retrieve the script sources, resulting in a more sophisticated, human-like approach to vulnerability detection. Enhanced Automation Automatic Form Filler A form filler is a software program that automatically fills forms in a UI. Form fillers can be part of a larger program, like a password manager or a enterprise single sign-on (E-SSO) solution. Learner - This feature makes it easier to create scan templates and quicker to scan applications. When users crawl a website, AppScan learns the parameter values entered by the user (and all other parameters, including hidden fields), and uses them in future scans for automatic explores. The form-filler data can be saved and shared with other AppScan users. Customized Error Page for Application Specific Vulnerabilities - Defines what application-specific error pages look like. When sending Application Specific Vulnerability (ASV ASV abbr. Bible American Standard Version ASV n abbr (= American Standard Version) → traduction de la Bible ASV n abbr (Bible) (= ) tests, AppScan will correlate the test response to the user-defined error pages, and if a match occurs, AppScan will flag the test as "Not Vulnerable."This new feature improves the accuracy of the ASV tests and reduces the number of flagged false positives. Enhancements to AppScan Developer Edition (DE) 5.0 JBuilder, Websphere, MS Visual Studio, and Eclipse Significant performance, user interface, scanning, and reporting capabilities have been added to AppScan Developer Edition (DE) to help organizations create reliable and secure applications in the development environment. AppScan DE has four versions that support the leading development applications: JBuilder, Websphere, MS Visual Studio, and Eclipse. AppScan 5.0 Availability and Special Limited Offer AppScan 5.0 is generally available October 12, 2004. For a limited time only, Watchfire is bundling AppScan with its website quality and accessibility testing tool WebQA(TM). This powerful bundle provides tools for web application security, quality, and accessibility compliance, all for one price. This limited offer is available until December 31, 2004. About Watchfire Watchfire provides software and services to help organizations manage online business by minimizing online risk and maximizing channel effectiveness. More than 200 enterprise organizations and Government agencies, including AXA AXA Anguilla, Anguilla (Airport Code) AXA Alpha Chi Alpha AXA Animal Crossing Ahead (online forum community/guide to the game Animal Crossing) AXA Auxiliary Artery Financial, SunTrust Banks Inc., Veteran's Affairs, United States Postal Service and Dell rely on Watchfire to monitor, manage, improve and secure all aspects of the online business including quality, privacy, web application security, accessibility, user experience and visitor behavior. Watchfire's alliance and technology partners include IBM Global Services IBM Global Services is the world's largest business and technology services provider. It is the fastest growing part of IBM, with over 190,000 professionals serving customers in more than 160 countries. , PricewaterhouseCoopers, TRUSTe, Microsoft, Interwoven in·ter·weave v. in·ter·wove , in·ter·wo·ven , inter·weav·ing, inter·weaves v.tr. 1. To weave together. 2. To blend together; intermix. v.intr. , EMC (1) (EMC Corporation, Hopkinton, MA, www.emc.com) The leading supplier of storage products for midrange computers and mainframes. Founded in 1979 by Richard J. Egan and Roger Marino, EMC has developed advanced storage and retrieval technologies for the world's largest companies. Documentum and Mercury. Watchfire is headquartered in Waltham, MA. Watchfire, WebCPO, WebXM, WebQA, WebXACT, Bobby, Sanctum, AppShield, AppScan, the Sanctum Logo, the Bobby Logo and the Flame Logo are trademarks or registered trademarks of Watchfire Corporation. All other products, company names, and logos are trademarks or registered trademarks of their respective owners. |
|
||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion