IBM adds to Watchfire tools

The IBM Rational AppScan 7.7 testing platform is the first iteration of Watchfire's flagship app on the Rational platform since IBM acquired Watchfire earlier this year

Sticking to its promise to advance the Web applications security tools acquired via its June 2007 buyout of Watchfire -- even as it works to meld the technology into its Rational software development platform -- IBM announced a new version of the AppScan testing platform on Tuesday.

Renamed as IBM Rational AppScan 7.7, the release marks the debut of the former flagship product of Watchfire now under the auspices of Big Blue.

Among the additions that have been made to the Web applications testing package are new scanning tools, dubbed Scan Expert, meant to allow people with little experience using such products to begin scouring their programs for potential vulnerabilities.

IBM has promised to help affect a significant change among software developers by driving security testing tools like AppScan into more of those users' hands. By making the scans themselves easier to run and understand, the company is already working to fulfill that goal, company officials said.

The product also boasts new testing capabilities meant to help drive out flaws that may exist in so-called Web 2.0 programming methods, including support for Flash and AJAX. Security researchers have pointed to inexperienced coders working with those programming techniques as an emerging source of new vulnerabilities.

A new feature in AppScan labeled as State Inducer claims the ability for developers to test multi-step processes running within individual applications and includes scanning modules tailored to aid people in testing online shopping cart, reservation, and forms systems.

Prior to introduction of the tool, users would be forced to test each component of such programs individually in AppScan. The State Inducer feature specifically offers the ability to automatically learn applications' sequences as it scans them to speed security testing of multi-step functions.

In a nod to an emerging threat model increasingly being utilized by hackers, IBM has added tests to AppScan meant to unearth vulnerabilities that could be targeted in CRSF (cross site request forgery) attacks.

CRSF threats, a cousin of better-known XSS (cross-site scripting) attacks, attempt to fool end-users into loading a Web page that contains a malicious request, much like traditional phishing attacks or XSS threats.

Using the technique, hackers then try to misappropriate victims' identities and privileges to carry out activities like changing their applications passwords to gain entrance to banking sites or to log into e-commerce sites to make fraudulent purchases in their names.

In some cases, the attacks are hidden on the vulnerable sites themselves. CSRF attacks are also known by a number of other names, including XSRF, sea surf, session riding, and hostile linking.

Watchfire officials said that they were compelled to add the feature after observing a growing number of CSRF threats showing up in their research of malware attacks. The company said it has also added a range of tests aimed at emulating other increasingly popular varieties of threats, including those that exploit SSL technologies to deliver their payloads.

IBM hopes to change developers' work model
In addition to a range of upgrades made to the AppScan UI, the company is also touting expanded reporting capabilities in the platform, including tools that specifically aim to address compliance regulations, including new guidelines, such as the Family Education Rights and Privacy Act, Freedom of Information and Protection of Privacy Act, and Payment Application Best Practice) section of the PCI data security standard.

Many applications security testing and source code analysis firms are banking on Sections 3 and 6 of the PCI standard -- which require companies to prove that their online transactional systems are secure -- to boost demand for their products in the coming months as 2008 deadlines for those measures approach.

The new version of the product also includes Microsoft Word reporting templates that offer to serve up scan results to users in a familiar format that can also be shared easily with non-technical workers.

"Right now, applications security testing is on a tear. More people than ever are starting to do assessments, and others are already trying to drive testing into their software development lifecycles," said Mike Weider, CTO of Watchfire. "Companies can't scale this type of work with information security teams doing all the testing, and it's cheaper to fix bugs earlier in the development process; it seems like the message we've been pushing is finally getting through."

While IBM has designs on making security testing a core element of development work, Weider said that the shift will take time as workers get used to the idea of securing their code at the same time that they write it.

"This is an evolution that won't happen overnight, but we already see rapid maturation of the model among customers," Weider said. "Some companies are moving the security testing upstream, and even those who are still giving these tools to security teams will push them into development over time, it seems inevitable."

While companies may have balked at spending money on applications scanning tools in the past, compliance regulations like PCI have given IT leaders greater power to advocate for investments in the tools, and IBM believes the trend will only grow over time, he said.

"We see banking and e-commerce companies already being forced by the market to prioritize security testing over adding features to their applications, and PCI has been a significant force behind that change," said Weider. "They are being forced to consider the risks of not engaging in security testing in the software development lifecycle and the risks are becoming too big to ignore, especially with PCI requirements hanging over their heads."