IBM Application Security Insider

Input vector comparison (taken from the WAVSEP benchmark review)

This year's benchmark included new attack "traps" for scanners in the form of: Reflected XSS, SQL Injections, Remote and Local File Inclusions, and XSS via RFI. Where some scanners stumbled, AppScan feared-not and overcame the obstacles put in its way.

AppScan gave the Reflected XSS tests a run for their money, with 100% detection and 0% false postives!
And if we're on the subject, we can safely hint that we have some tricks up our sleeve coming your way - so stay tuned!

As for SQL Injection - AppScan managed to do an amazing job as well, with 100% detection (136 out of 136 issues), but with 3 false positives. This is, of course, something that our Security Team will be working on fixing and rolling out an update for.

The WAVSEP benchmark is a personal favorite of mine, I must commend Shay for doing such a great job across the board. I highly recommend a good read of Shay's blog post about the benchmark, as well as the summarized site.

On a side note, this benchmark didn't include Glass Box testing (IAST), an integral feature of AppScan, opening a world of capabilities in web application security scanning. I hope to see Glass Box testing being targeted in the future benchmarks.

For in-depth reading about the benchmark:

• SecToolMarket - A summarized review
• WAVSEP Benchmark Review

More of our posts that may interest you:

• Automated Blackbox Crawling: The Next Generation
• A spotlight on JSA, the amazing hybrid security analysis for JavaScript
• Enhancing Web Application Security Testing with IBM Security AppScan Glass Box
• Testing RESTful Services with AppScan Standard
• Handling Complex Scenarios with AppScan's Custom Parameters