IBM Rational App Scan 7.7

IBM Rational AppScan is a leading suite of automated Web application security and compliance assessment tools that scan for common application vulnerabilities, generate actionable reports, and help manage regulatory and standards compliance in online environments. These products are designed for the broadest range of users—from non-security professionals to advanced power users who can utilize the added tools and extensions to create a customized scanning environment.

Where is this IBM Rational Appscan come from ?
Formally Watchfire Corporation before its acquisition by IBM in July 2007.

• This scanner comes in three different editions:-
  


1. Standard Edition
• Targeted at standalone usage scenarios.
• Black-box testing tool (does not require source code but requires a running system).
• Underlying implementation technology independent.
• Works by crawling an entire website (link depth and type is configurable) after been given a root URL.
• Suggests common fixes when vulnerabilities are found but cannot automatically fix them. (Obviously since it has no knowledge or access to the underlying code!)
• Will not be able to detect threats on pages that are not explicitly defined in the test, exist as links in the website or directories that do not allow listing.
• Supports legal and regulatory compliance by scanning against well known policies (e.g. Sarbanes-Oxley, HIPAA, PCI Data Security Standard, OWASP Top Ten) and generate the necessary reports.
• Requires regular updates to keep up with latest threat signatures (like anti-virus software).
• Must run full suite of tests after an update as the tool is unable to determine the delta.
• Includes a whole bunch of advanced tools for penetration testers.
• Supports only Windows Platform for running the tool.


2. Tester Edition
• Targeted as part of the Quality Assurance process usage.
• Contains same features as the Standard Edition plus the following.
• Automatic test creation, modification and maintenance capabilities to enable testing and remediation.


3. Enterprise Edition
• Targeted at multi-user environments.
• Contains same features as the Standard Edition plus the following.
• Centralized test management and reporting, remote scanning administration.
• Continuous monitoring and aggregation of metrics to ensure remediation and trend improvement over time.
• Sophisticated dashboards and flexible reporting views to provide enterprise-wide visibility of risks and remediation progress.
• Web based access for users.
• Supports only Windows Platform for server components.
4. New eXtensions have been added, including Scan Expert Extensions, an eXtensible Panel in the Main Window, and saving manually found issues.
5. IBM Rational AppScan's scan configuration has been re-architected for improved flow efficiency.
6. The product has 44 out-of-the-box compliance reports. New reports include Family Education Rights and Privacy Act (FERPA), Freedom of Information and Protection of Privacy Act (FIPPA) and Payment Application Best Practices (PABP).

For more information http://www.ibm.com/software/awdtools/appscan/