Hackers frustrated with improvements in Web application security have begun shifting their attentions to Web services, and security vendor Watchfire intends to head them off at the pass.
With Monday's release of AppScan 6.5, Waltham, Mass.-based Watchfire adds Web services vulnerability testing and improved compliance reporting to its flagship application security scanning solution. AppScan 6.5 addresses the trend of attacks targeting the application layer by giving companies a way to test this critical part of the enterprise infrastructure, Mike Weider, founder and CTO of Watchfire.
Now that companies have learned how to defend their network infrastructure and Web applications, hackers are beginning to target Web services, Weider said. "As people get better at securing Web applications, attackers are looking at the next level down in their search for the easiest way to compromise an application," he said.
Web application testing is usually handled on a user-to-application basis, but testing Web services is a different process that involves monitoring the interactions between applications, Weider said. AppScan 6.5 achieves this through a scanning engine that sends malicious requests to the Web service and monitors the response, he added.
Mike Malin, executive vice president at Mandiant, a New York-based solution provider, says testing Web services is becoming just as important as testing applications. "[The Web Services scanning engine] is a very poignant feature for Watchfire to include and one that highlights how attacks are becoming more sophisticated," said Malin.
In addition to testing applications using signature based attacks, AppScan 6.5 includes an attack simulation engine that mimics exploits such as SQL injection and cross site scripting. According to Weider, this method tests the business logic of Web applications, which hackers have targeted in the past to compromise credit card databases and obtain user account information.
"The reason these types of attacks have worked is because application developers never thought someone would try something like that," said Weider.
AppScan 6.5 includes automated penetration testing tools that allow companies to improve security by performing more frequent scans and assessments, said Malin. AppScan's automated authentication testing feature, which uses brute force methods to test the security of usernames and passwords, is particularly useful from a time savings standpoint, Malin added.
In order to help companies meet new Payment Card Industry (PCI) and ISO standard specifications for securing customer data from application-level attacks, Watchfire has added compliance reporting tools to AppScan 6.5. "Although the PCI program is still in progress, Watchfire shows a lot of foresight in addressing the market," said Malin.
