Sunday, April 11, 2021

IBM on Fire

Five months after being acquired by
IBM, Watchfire is out with its latest release of its security scanning
product AppScan.

With the release, Watchfire will try to prove that it can integrate with IBM’s Rational product line and that it can also still continue to stand on its own.

“Application security needs to be part of the software process and that was
the impetus for IBM buying us,” Mike Weider, CTO of Watchfire, told
InternetNews.com. “Part of our vision is to create an end to end
solution for application security from the early days of development to full
deployment and monitoring.”

While integration with IBM Rational development product portfolio is
ongoing, Weider noted that it’s also important that Watchfire continues to
service standalone customers that aren’t using IBM’s other tools.

That’s what the AppScan 7.7 release is all about. The new AppScan includes a more
robust scanning engine that can identify more vulnerabilities, no matter
where they sit in the business applications process.

Weider explained that the state inducer technology in AppScan 7.7 is
designed to make sure AppScan properly scans a business process in the right
order. For example, you can’t test checkout in an e-commerce application
until you’ve got something in the cart.

Weider admitted that in the past
that had been a challenge for AppScan, but now the software will now scan
applications in the right order. The AppScan 7.7 release also takes aim at a particularly dangerous type of vulnerability that often has been misunderstood.

“There is a new vulnerability that we’ve been tracking called cross site
request forgery. It’s a close cousin of XSS, which is the number one
vulnerability on the Internet,” Weider said. “Cross Site Request Forgery is
really about tricking a user to make requests to a third party without
realizing they’re doing it.”

For example, Weider explained that a user could browse to a website with a
malicious payload. That payload would make a request in the background that
wasn’t authorized. It sounds a bit like Cross Site Scripting, but is its own
unique vulnerability that hasn’t properly been identified in the past.

“The confusion about it is that all sites that all sites that are vulnerable
to cross site scripting will also be vulnerable to Cross Site Request
Forgery, but the reverse isn’t true,” Weider noted.

“Even though you may not be at risk for XSS, you could be at risk for forgery. In the past we’ve had robust tests for cross site scripting and in that regard we’d
catch forgery vulnerabilities. But we would not have caught forgery where
there is no cross site scripting vulnerability and that’s the new capability
we’ve added.”

With the AppScan 7.7 release, there is actually one item that is being
removed from the product – namely the Watchfire name itself.

“The AppScan brand will remain as the product name but the Watchfire name is
being slowly transitioned out,” Weider admitted. “We’re being integrated
into the IBM Rational software brand.”

This article was first published on InternetNews.com. To read the full article, click here.

Similar articles

Latest Articles

The Conversational AI Revolution:...

One of the things I’m looking forward to seeing at next week’s NVIDIA GTC event is an update on their Conversational AI efforts. I’m fascinated...

Edge Computing

Edge computing is a broad term that refers to a highly distributed computing framework that moves compute and storage resources closer to the exact...

Data-Driven Decision Making: Top...

The phrase data-driven decision making – certainly popular in the field of data analytics – may seem redundant. After all, nearly everything is driven...

Top Performing Artificial Intelligence...

As artificial intelligence has become a growing force in business, today’s top AI companies are leaders in this emerging technology. Often leveraging cloud computing and...