I usually don't tend to blog about our product releases, but yesterday we have launched the official new version of IBM Rational AppScan Standard Edition (version 7.8), which includes some capabilities that I believe are worth blogging about.
Here's a short list of the interesting new features and capabilities:
- Flash execution & Testing: AppScan now automatically crawls Flash applications to reveal web application vulnerabilities, including vulnerabilities unique to Flash such as XSS in Flash, Phishing through Flash (Redirections), Cross Site Flashing, Insecure Direct Object Reference, Over permissive Flash Sandbox, Over permissive crossdomain.xml files
- AMF Parsing & Testing: On the same subject of Flash testing, AppScan is now capable of parsing and analyzing AMF communications between Flash applications and their back-end server side application.
- Content-based Application Mapping: many modern web applications (especially those designed with the MVC paradigm) make use of a single URL, and serve contents based upon different parameters. In such scenarios, it is irrelevant to report vulnerabilities based on URLs. AppScan 7.8 allows you to create or modify the application tree by defining a criteria by which AppScan will assign content elements to the application tree. This allows for a more clear and real view of the results.
- Support for widget-based and Mashup sites: The new Content-Based configuration (see previous item) view lets you define the structure of widget-based and Mashup sites and display their structure logically.
- WebSphere Portal support: Dedicated template for WebSphere Portal applications incorporating a WebSphere Portal Test Policy and other configurations designed to increase performance and accuracy. The same capability can be adjusted for other Java Portlet based web applications
- Improved Web services support: The new GSC utility replaces "Web Services Explorer" (a WSDL analyzer that generates SOAP traffic) to provide improved Web Services scanning, including support for MIME attachments, WS encryption and WS signatures. This means you can now test SOAP Web Services that make use of WS-Security standards.
- IPv6 Support: no need to explain
- CVSS-based Severity Reporting & Configuration: AppScan is now capable of reporting vulnerability severity using CVSS. In addition, users can modify CVSS settings as they wish, in order to create more accurate reports
These are just some of the major improvements and new features in AppScan Standard Edition v7.8
You can download a trial version of AppScan here.
BTW - for those of you who haven't been following our recent product announcements, we also recently shipped AppScan Developer Edition, which includes Static Analysis of JAVA (more languages to follow) applications, in conjunction with Dynamic (Blackbox) and Runtime Analysis. This composite type of analysis, enables developers to get a full view of the vulnerabilities, both from the web front end point of view, as well as at the source code level, in a correlated manner.