Sticking to its promise to advance the Web applications security tools acquired via its June 2007 buyout of Watchfire -- even as it works to meld the technology into its Rational software development platform -- IBM announced a new version of the AppScan testing platform on Tuesday.
Renamed as IBM Rational AppScan 7.7, the release marks the debut of the former flagship product of Watchfire now under the auspices of Big Blue.
Among the additions that have been made to the Web applications testing package are new scanning tools, dubbed Scan Expert, meant to allow people with little experience using such products to begin scouring their programs for potential vulnerabilities.
IBM has promised to help affect a significant change among software developers by driving security testing tools like AppScan into more of those users' hands. By making the scans themselves easier to run and understand, the company is already working to fulfill that goal, company officials said.
The product also boasts new testing capabilities meant to help drive out flaws that may exist in so-called Web 2.0 programming methods, including support for Flash and AJAX. Security researchers have pointed to inexperienced coders working with those programming techniques as an emerging source of new vulnerabilities.
A new feature in AppScan labeled as State Inducer claims the ability for developers to test multi-step processes running within individual applications and includes scanning modules tailored to aid people in testing online shopping cart, reservation, and forms systems.
Prior to introduction of the tool, users would be forced to test each component of such programs individually in AppScan. The State Inducer feature specifically offers the ability to automatically learn applications' sequences as it scans them to speed security testing of multi-step functions.
In a nod to an emerging threat model increasingly being utilized by hackers, IBM has added tests to AppScan meant to unearth vulnerabilities that could be targeted in CRSF (cross site request forgery) attacks.
CRSF threats, a cousin of better-known XSS (cross-site scripting) attacks, attempt to fool end-users into loading a Web page that contains a malicious request, much like traditional phishing attacks or XSS threats.
Using the technique, hackers then try to misappropriate victims' identities and privileges to carry out activities like changing their applications passwords to gain entrance to banking sites or to log into e-commerce sites to make fraudulent purchases in their names.
In some cases, the attacks are hidden on the vulnerable sites themselves. CSRF attacks are also known by a number of other names, including XSRF, sea surf, session riding, and hostile linking.
Watchfire officials said that they were compelled to add the feature after observing a growing number of CSRF threats showing up in their research of malware attacks. The company said it has also added a range of tests aimed at emulating other increasingly popular varieties of threats, including those that exploit SSL technologies to deliver their payloads.