Sanctum's AppScan is a tool for testing a Web application's security. Read the product documentation, and it's difficult to
avoid the impression that AppScan is a sort of "automated hacker." That’s true in at least one sense: AppScan applies the
same type of techniques as a hacker would use to infiltrate your site. Fortunately, AppScan is a benign mechanism, not a malevolent
person, because it does its job very well.
Sanctum AppScan DE 1.7
Sanctum, sanctuminc.com
|
 Excellent 8.6 |
|
| criteria |
score |
weight |
| Ease-of-use |
9 |
20% |
 |
| Performance |
8 |
20% |
|
| Security |
9 |
20% |
|
| Setup |
9 |
20% |
|
| Innovation |
8 |
10% |
|
| Value |
8 |
10% |
|
|
|
Cost:
$1495 per developer
Platforms:
Windows 2000 with SP2 or higher, Windows XP with SP1 or higher, Windows .Net Server
Bottom Line:
Easy to operate and extremely thorough, AppScan DE is a worthwhile tool for developers interested in shoring up a Web application's
security. The help screens and in-line comment information alone are eye-opening reading.
|
|
About our Reviews and Scoring Methodology
|
|
|
|
AppScan DE (Developer’s Edition) explores a Web site, searches for potential security loopholes, "attacks" the site based
on knowledge gathered during the search, and reports its successes and failures. Developers can then use AppScan's information
to shore up the discovered security leaks before they go live.
A Benign Mechanism
While AppScan can stand alone, it is available in versions that integrate with various integrated development environments,
including Visual Studio .Net, Visual Basic 6.0, IBM WebSphere Application Developer Studio 5.0, Eclipse, and Borland JBuilder.
I ran the stand-alone version and was pleased by how quickly I could set it up and turn it loose on my sample application.
The AppScan GUI is arranged so that the four phases of its operation -- Setup, Explore, Test, and Report -- appear as tabs
arranged vertically on the left side of the window. Select one of the tabs, and the other tabs slide apart to reveal sub-tabs
associated with a step within each phase.
This arrangement provides a good mix of guided hand-holding and unchaperoned navigation. Your first time through a session,
you follow the tabs from top to bottom, filling in parameters and executing functions. Once you've gotten the hang of it,
you can tweak and refine that same session by stepping backward or forward and tuning and rerunning.
In the Setup phase, you provide the information AppScan needs to prowl your target site: the starting URL, how many links
"deep" the scan will delve, which URLs to avoid, and more. You can also fill in all the data for the input fields, selection
boxes, and so on that AppScan will encounter as it prowls the site. (This is not a required step. When AppScan does its exploration
of the site, it tracks all the entry fields for which it has no input information and requests the information afterward.)
The next phase, Explore, is the scan itself. There are two kinds of scans: automatic and interactive. Automatic is the more
comprehensive, as AppScan crawls mechanically through the site like a living algorithm climbing a tree structure, bypassing
only those links you previously identified.
In an interactive scan, AppScan watches as you click through the site, recording and remembering the links you visit, the
fields you fill in, and so on. Interactive scanning is therefore more constrained than automatic, but since you control the
process, you can quickly focus on what you think might be a trouble spot rather than wait for AppScan to find it. One of AppScan's
bits of cleverness is that you can flip easily between automatic and interactive scans, as the circumstance requires.
After exploration, AppScan mulls over the gathered information and builds a database of known or suspected site vulnerabilities.
In short, AppScan draws up its attack plan and assembles its weapons (dubbed "mutated" requests), legitimate HTTP requests
modified to test specific weaknesses.
The actual attack is more politely called the Test phase. AppScan sends its volley of mutated requests to the site and records
the results. Even the attack can be tweaked by the developer, literally fine-tuning the assault so that only specific mutated
requests are sent to look for one vulnerability in particular. In addition, AppScan identifies those requests that might actually
crash the system and gives you the option of skipping them.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
