AppScan’s proactive app security

In the final phase, Report, AppScan provides both on-screen and printable results in drill-down fashion. It divides a site's potential vulnerabilities -- and, therefore, the kinds of attacks it mounts -- into eight categories: hidden field manipulation, cross-site scripting, stealth commanding, parameter tampering, backdoor and debug options, buffer overflows, cookie poisoning, and suspicious content.

Free IT resource Open Source Business Conference (OSBC) May 22-23, 2007 Sponsored by OSBC Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Sanctum AppScan DE 1.7 Sanctum, sanctuminc.com Excellent  8.6 criteria score weight Ease-of-use 9 20% Performance 8 20% Security 9 20% Setup 9 20% Innovation 8 10% Value 8 10% Cost: $1495 per developer Platforms: Windows 2000 with SP2 or higher, Windows XP with SP1 or higher, Windows .Net Server Bottom Line: Easy to operate and extremely thorough, AppScan DE is a worthwhile tool for developers interested in shoring up a Web application's security. The help screens and in-line comment information alone are eye-opening reading. About our Reviews and Scoring Methodology

Results can be filtered based on a variety of criteria divided by severity, such as whether the test query reviewed a vulnerability that was certain, highly suspicious, suspicious, or not vulnerable. I found the filtering feature particularly useful, allowing me to slice away those categories that simply were not applicable to my testing.

What's important here isn't so much that AppScan employs any heretofore unknown kinds of attacks; in fact, they're all pretty well understood. What is important is that AppScan automates the process of locating vulnerabilities and testing those attacks on a target site. AppScan DE's value is not the novelty of its "hacking," but its speed and thoroughness.

A Grim Job

Working with AppScan DE is relatively uncomplicated thanks to the tab-navigation interface. I was initially confused by the way that the tool kept all form input data global, rather than associating each with its specific URL. However, a discussion with Sanctum convinced me that AppScan trades that kind of excruciating precision for ease of use and emerges the better for it.

You may also run AppScan from the command line. This allows you to incorporate the tool into script-driven build processes to run automated sessions after each build of your application so that security problems can be located -- and, hopefully, tracked and fixed -- before they hit the real world.

While using the system is straightforward, AppScan DE's licensing is understandably tricky. Licenses are typically granted for scanning a specific IP address, or a range of nonroutable addresses. Anything beyond that requires special licensing from Sanctum. (Of course, scanning a Web site on your local system is always permitted.)

In addition, for accountability tracking, AppScan DE binds your license to your system's IP address and MAC address, and embeds those addresses in HTTP headers so that servers logging HTTP transactions deposit the identifying information in system logs. That allows enterprise managers to track precisely who is using AppScan to explore a given server, just in case someone tries to use the tool, er, “inappropriately.”

While one might be tempted to judge AppScan DE on the cleverness of its attacks, doing so is missing the product's more important characteristic: comprehensiveness. This became clear to me when I turned AppScan loose on a small, three-servlet, MySQL-based Web application I had been using at work. AppScan turned up no vulnerabilities, and while I would have been amazed if it had, I was still more amazed by the sheer number of individual attacks the tool attempted -- well over 900.

After pondering this for a moment, I realized how many valid and unique variations of HTTP requests were possible with just my simple application, then shuddered at the thought of how many would exist for a complex enterprise Web site. AppScan DE’s thoroughness will be much appreciated by any IT security team.