IBM (NYSE: IBM) today introduced new software to help customers protect their business from today's most advanced and complex web application security attacks. The first release of IBM Rational AppScan, a market leading web application security technology acquired by IBM from Watchfire in July 2007, is a key-part of IBM's software portfolio that helps ensures high quality applications are delivered to the marketplace.
Web applications are high value targets for hackers, yet many organizations have a difficult time tackling security due, in part, to a lack of application security knowledge and the size and complexity of today's websites that incorporate the latest in Web 2.0 technology. Businesses need automated solutions capable of identifying and protecting applications from these weaknesses. IBM Rational AppScan identifies, validates and reports on application security vulnerabilities and with this new version, introduces new features and reporting methods for security auditors while enabling a broader pool of IT roles to participate in and drive critical web application security testing.
Traditionally, testers, developers, and IT professionals have lacked the specific security knowledge needed to effectively run scans. New capabilities in IBM Rational AppScan, such as Scan Expert and State Inducer, broaden the availability of this critical function so IT personnel, software developers and testers are capable of running successful scans while at the same time also add new features to assist security professionals.
- Scan Expert packages the best practices of an expert such as automatically profiling an application and providing the best test configuration for a successful scan. This enables more successful scanning for users with little IBM Rational AppScan or web application security experience, while improving efficiency for more knowledgeable security experts. 
- Furthering its leadership in support of complex Web 2.0 technologies that includes support for Ajax and Flash, the new State Inducer feature introduces accurate assessment of multi-step processes within applications. These include adding to a shopping cart and checking out, filling multiple forms while applying for a loan, or booking an airline reservation. Until now, users would have to manually test each of these areas of the application. With State Inducer, IBM Rational AppScan can learn these sequences, ensuring they are accurately assessed for security issues, further automating, saving time and simplifying the testing process. 
- Cross site request forgery is a malicious Web site exploit in which an attacker can fake a request to a site gaining access to sensitive information. IBM Rational AppScan identifies areas in a Web site where businesses would be susceptible to cross-site forgery requests. 
IBM Rational AppScan now includes educational material to help users build more secure applications. The product adds recorded web-based training (WBT) advisories that incorporate the industry's first application security training directly into the solution. WBT is an ideal way to educate non-security professionals on application security fundamentals and product best practices. With the rapid emergence of new compliance legislation, IBM Rational AppScan helps organizations comply with dozens of industry standards and has been updated to include a leading 44 out-of-the-box compliance reports including the Family Education Rights and Privacy Act (FERPA), and payment application best practices (PABP) as suggested by the credit card industry.
"With IBM Rational AppScan, Standard Chartered Bank is educating its developers and IT staff on the importance of web application security incorporated throughout the development lifecycle," said John Meakin, group head of information security, Standard Chartered Bank. "IBM Rational AppScan lets us establish best practice in our coding and testing processes, thereby ensuring the security and compliance of our web applications. This is reducing costs, enhancing the security of our products, and improving our security testing productivity."
Businesses today have hundreds of critical applications that need to be tested in a timely manner. Integrating security with quality management testing tools simplifies security testing and remediation throughout the software lifecycle. IBM has also introduced new enhancements to its IBM Rational software delivery portfolio to make it even easier for customers to deliver higher quality, scalable applications.
For example, telecommunications companies can now take advantage of IBM Rational Performance Tester's support for VoIP systems, internet telephony and instant messaging via SIP (session initiation protocol) -- a key standard in the telecommunications industry. New data-driven keyword testing capabilities in IBM Rational Manual testers now allows business users and manual testers to easily automate and reuse test assets without incurring excessive automation overhead and investment.
Best of breed security and quality testing solutions integrated from one vendor enables IBM customers to more effectively build security into their application delivery process.
"Traditionally, Web application security testing has been owned by security experts, but that is not enough to stay in synch with the requirements of processes within companies today," said Dr. Danny Sabbah, general manager, IBM Rational Software. "The addition of IBM Rational AppScan will help users save time and money by incorporating web application testing much earlier in the software lifecycle process."
(Copied by : www.ibm.com) [...]