IBM Adds CSRF Scanning to Watchfire Tool

AppScan Standard Edition 7.7 is designed for QA and IT pros as well as security experts, and tests for cross-site request forgery bugs

Dark Reading logo in a gray background | Dark Reading

IBM today will release a new version of the Watchfire AppScan vulnerability scanning tool that can test for the pervasive cross-site request forgery (CSRF) vulnerability found in many Web applications. (See CSRF Vulnerability: A 'Sleeping Giant'.)

The Rational AppScan Standard Edition 7.7 represents the first new release of the Web app security scanning tool since IBM acquired Watchfire in July. (See IBM to Enter Web App Security.) It's been a big month for IBM in security -- the company rocked the industry last week with an announcement that it will invest a whopping $1.5 billion in security next year (See IBM Launches $1.5B Security Initiative.)

The AppScan vulnerability scanner -- which finds and reports on Web application security vulnerabilities -- is also now aimed at non-security experts as well. "In the past, our audience has been only security experts, but we're seeing application security become a more mainstream issue," says Mike Weider, CTO and director of R&D for Watchfire, an IBM company. "The QA [quality assurance] engineer is not only doing functional testing, but also doing security testing as well."

AppScan comes with several built-in features aimed at making it easier to use for non-security pros, with more user-friendly reporting features, as well as built-in, Web-based app security training and courseware. The new State Inducer feature, for instance, helps testers automatically scan applications that have multi-step processes, such as an online ordering app with shopping cart and checkout features. Security pros previously have had to manually test each of these processes, according to IBM.

CSRF, meanwhile, is considered a sleeping giant of a flaw that could cause big problems for Websites. "Most tools can test for cross-site scripting, but sites that are vulnerable to CSRF, but not XSS, have been difficult to test," Weider says. "CSRF is just as pervasive as cross-site scripting, and it's only a matter of time before it gets more broadly exploited."

Weider predicts that as companies start closing their XSS and SQL injection holes, CSRF will become a more popular attack vector on Websites. And testing and fixing XSS holes doesn't necessarily fix CSRF, he says, although the two often go hand-in-hand.

But some security experts are skeptical about searching for CSRF bugs using tools alone. "I'm very excited to hear that IBM is taking CSRF seriously, but I remain cautiously realistic about AppScan's ability to automatically detect CSRF vulnerabilities," says Chris Shiflett, principal with OmniTI, which provides Web app security services to its clients. "It's difficult, if not impossible, to accurately detect CSRF vulnerabilities without human interpretation."

Next for IBM's AppScan tool is scanning for vulnerabilities in "packaged applications" such as PeopleSoft and SAP, Weider says, and even Z Series-based legacy applications being transformed with Web front-ends, he says. "There are all sorts of new technologies for us to support from a scanning" standpoint, he says.

"We're also seeing a lot of interest in integrating our solutions more tightly with other security solutions," he says. IBM Rational AppScan will be available on November 19, and pricing starts at $14,400.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights