Web services security and compliance with the Payment Card
Industry (PCI) Data Security Standards are top-of-mind customer
concerns that the latest version of Watchfire's AppScan Web
application vulnerability assessment software aims to address.
Announced today, version 6.5 of AppScan and AppScan Developer
Edition (DE) offers expanded security auditing coverage with
integrated Web services scanning, as well as new compliance reports
for PCI and the
ISO 17799 and 27001 standards. The scanning
tool also includes new advanced testing features designed to
help auditors and penetration testers.
"We see Web services as the next battlefront after the easy
applications are locked down," said Michael Weider, CTO of
Watchfire Corp., in Waltham, Mass.
Now that organizations are moving from proof of concept to
larger-scale deployment of Web services, "there has been an
increase in questions and attention we've been getting from
customers with respect to Web services security, " Weider said. "We
will see increasing cases of security issues and Web services."
With all the protections organizations have put into place
around the network, it's getting harder to compromise the network,
Weider said, so hackers are now looking to the Web sites themselves
and the Web applications. Once Web applications are shored up, he
said, "hackers will shift toward the next frontier—Web services
vulnerability."
And compliance with the
WS-Security standard will not be enough,
Weider said. "It's a starting point. It just means the Web
service does what it's supposed to do, but innovative attacks
can compromise Web services into doing what they're not supposed
to do, and [hackers are] thinking of use cases that nobody
would've thought of. This won't be solved by complying with the
[WS-Security] standard."
"Since Web services involve machine-to-machine communications,
it is very important to make sure that the operations associated
with the Web services are correct," said Charles Kolodgy, a
research director for the security products service at
International Data Corp. (IDC) in Framingham, Mass. "Even if you
build to WS-Security you will need to validate that it has been
done correctly."
AppScan 6.5 delivers a Web Services Explorer that lets users
examine the different methods incorporated in the Web service,
manipulate input data and examine feedback from the service.
AppScan analyzes the WSDL file and simulates
application-to-application interactions. It provides a range of
SOAP tests as well as supports JavaScript Execution and Parsing and
Flash parsing.
Weider said Web services face a lot of the same vulnerabilities
as Web applications, such as
SQL injection, but up to this point Web
services scanning has been "underfocused on." Hovever, he added,
"with the growth of more people interacting with Web services
applications and trading partners, it's most risky where you put
the Web service out on the Internet and allow people to freely
use it."
At the same time that Web services are gaining momentum, the
credit card industry has been increasing its focus on application
security with the PCI standard. "PCI has had a huge impact on the
security industry. It's a recognition that application security is
one of biggest security issues facing anyone collecting credit card
information online," Weider said. "It's definitely having a big
impact on the vendor community in terms of growing attention to
security issues and automated tools to help with
vulnerabilities."
Consequently, organizations have been looking for help from
vendors like Watchfire, particularly with Section 6 of the
requirements which deals with developing and maintaining secure
systems and applications, Weider said.
Auditors and penetration testers also need more advanced
automated tools for their jobs, Weider said, so AppScan 6.5 also
includes a Token Analyzer that provides various tests for Web
application session tokens to determine how secure the application
is against
session theft. And the AppScan's new
Authentication Tester is a
brute force testing utility that detects
weak username-password combinations that could be used to gain
access to a Web application.
Application vulnerability assessment tools like AppScan are part
of a broader security vulnerability management (SVM) software
market that is projected to grow from $1.37 billion in 2005 to
$3.10 billion in 2009, according to IDC. Within this market, the
application vulnerability assessment subcategory represented $61.4
million in 2005 and is projected to reach $145.3 million by 2009,
with a compound annual growth rate of 25%. Currently, Watchfire
holds a 26.7% percent worldwide market share in application
vulnerability assessment software, according to IDC.
AppScan 6.5 is available now, with pricing starting at $15,000
per license and $1,500 per license for the Developer Edition.
This article originally appeared on
SearchAppSecurity.com.