Watchfire is upgrading its application vulnerability-testing software so it's easier for Web software developers to run scans on code and to close security holes.
The new version of AppScan Enterprise reduces the need for an application-security expert to configure the scans performed by the software. Instead, a feature called QuickScan is preconfigured to probe applications for a set of likely vulnerabilities and return results that tell developers how to fix the flaws it finds.
Previously, the software had to be configured by an expert in software security, and area of expertise most software developers lack, the company says. And the results of those scans told what problems they found, but not what to do about them, Watchfire says.
Now, developers can run the scan and receive a set of specific instructions on what to do to remove vulnerabilities it discovers, the company says. So rather than delivering a result that a potential SQL injection problem exists within certain lines of code, the tool gives instructions to fix certain input fields.
Watchfire competes most closely with Finjan, SPI Dynamics and Whitehat Security.
Watchfire is also removing the need for a separate AppScan client on user machines, opting for a Web interface instead. This makes it unnecessary for developers to learn how to use another client, and reduces the load on desktop administrators who would have to otherwise install and maintain the clients, Watchfire says.
Removing the client from developers' desktops also reduces the number of people with access to the software, which in the wrong hands can be used as a hacking tool, the company says.
Watchfire is also introducing an education program for application developers to train them to write more secure software. Called Computer Based Training, the program is designed to give non-security professionals a grounding in application security and best practices.
The training is provided within AppScan Enterprise 5 software, and includes a dashboard that tallies what courses each worker on a development team has completed, giving supervisors a way to track training.
Watchfire is integrating AppScan with Fortify Software's Source Code Analysis suite, which tests software for vulnerabilities as a hacker with no knowledge of the Web application code would do. This differs from AppScan, which has access to the code it is analyzing. The upgrade enables automatic correlation of Fortify results that uncover source code problems with actual application vulnerabilities.
Pricing for AppScan Enterprise server depends on the number of users. A license for five users costs US$85,000.