Security vendor Watchfire this week plans to take the wraps off a new version of its flagship AppScan vulnerability assessment tool, adding new automated scanning features and the ability to test internal applications.
AppScan 7.0 brings the ability to pinpoint within applications so-called privilege escalation vulnerabilities, which can give unauthorized users access to sensitive data. In an online banking system, for example, this vulnerability can cause a user who logs into their account to be granted access to another user's account, said Mike Weider, CTO of Watchfire, Waltham, Mass.
"It's an information confidentiality issue that we address by ensuring that the right users have the right access to applications," Weider said.
Watchfire traditionally has positioned AppScan as a tool for finding vulnerabilities in public-facing Web sites, but AppScan 7.0 includes automated testing features that make it effective for scanning internal applications as well, Weider said.
AppScan 7.0 also includes automated testing for applications that use two-factor authentication technologies that banking institutions are required to have in place by the end of the year to combat fraud, Weider said. Previously, testing these applications was time-consuming and required human interaction, he added.
In today's regulatory compliance environment, companies have to tighten application security, said Gordon Shevlin, executive vice president of business development at FishNet Security, Kansas City, Mo. "Before it was an afterthought—people knew applications were vulnerable—but now the migration is definitely moving toward locking down applications," he said.
To prevent AppScan 7.0 from being used for nefarious purposes, Watchfire has included policy setting and enforcement tools to limit access to authorized users, Weider said. "AppScan is like a 'hacker in a box', and these tools give companies a way to ensure that it's used appropriately," Weider said.
Being able to set policies and regulate access will be one key to the widespread adoption of AppScan, Shevlin said. "People are starting to understand the power of AppScan in their environments, which means you have to create rules to stop folks from abusing it," he said.
AppScan 7.0 is available now starting at $14,400.