IBM hopes to change developers' work model
In addition to a range of upgrades made to the AppScan UI, the company is also touting expanded reporting capabilities in the platform, including tools that specifically aim to address compliance regulations, including new guidelines, such as the Family Education Rights and Privacy Act, Freedom of Information and Protection of Privacy Act, and Payment Application Best Practice) section of the PCI data security standard.

Many applications security testing and source code analysis firms are banking on Sections 3 and 6 of the PCI standard -- which require companies to prove that their online transactional systems are secure -- to boost demand for their products in the coming months as 2008 deadlines for those measures approach.

The new version of the product also includes Microsoft Word reporting templates that offer to serve up scan results to users in a familiar format that can also be shared easily with non-technical workers.

"Right now, applications security testing is on a tear. More people than ever are starting to do assessments, and others are already trying to drive testing into their software development lifecycles," said Mike Weider, CTO of Watchfire. "Companies can't scale this type of work with information security teams doing all the testing, and it's cheaper to fix bugs earlier in the development process; it seems like the message we've been pushing is finally getting through."

While IBM has designs on making security testing a core element of development work, Weider said that the shift will take time as workers get used to the idea of securing their code at the same time that they write it.

"This is an evolution that won't happen overnight, but we already see rapid maturation of the model among customers," Weider said. "Some companies are moving the security testing upstream, and even those who are still giving these tools to security teams will push them into development over time, it seems inevitable."

While companies may have balked at spending money on applications scanning tools in the past, compliance regulations like PCI have given IT leaders greater power to advocate for investments in the tools, and IBM believes the trend will only grow over time, he said.

"We see banking and e-commerce companies already being forced by the market to prioritize security testing over adding features to their applications, and PCI has been a significant force behind that change," said Weider. "They are being forced to consider the risks of not engaging in security testing in the software development lifecycle and the risks are becoming too big to ignore, especially with PCI requirements hanging over their heads."