The new release of the company’s product, AppScan 7.0, automates what it calls privilege escalation testing. It’s a test to ensure that, for instance, an employee could not log onto an internal website and access privileges that should normally belong only to his or her boss. Testing this vulnerability typically took up to two or three days when done manually.
Another new feature is two-factor authentication support. This refers to the complex authentication procedures that may be used, such as log-ins that require a person to type in squiggly letters to prove that they are not robots trying to access the site.
In these cases, AppScan suspends the scan while the secondary authentication is performed, maintaining session state so that when the secondary process is complete, the interaction can pick up where it left off.
One area that the current version does not yet address is Ajax-style rich web clients. Admittedly, this is a challenge for any hacking tool because of the unstructured nature of client side JavaScript. For now, the tool navigates around Ajax to test back end vulnerabilities.
Watchfire has also enhanced documentation and root cause analysis capabilities in the new tool, and has added a new reporting console where you can oversee multiple individual desktop instances of AppScan. The idea here is to better enable website owners to make better sense of what would otherwise be cryptic test data.
The new console, combined with highlighting functions, provide the ability to drill down and get an English language explanation of why a given web page or site failed a hacker test. It also provides trend analyses so users can see whether security holes are getting fixed.
AppScan 7.0 will be generally available in late November.
