Sanctum updates AppScan for J2EE

Paul Roberts

IDG News Service

Web application firewall company Sanctum Inc. ventured further into the development tools arena Tuesday, expanding the reach of its AppScan Developer Edition (DE) product to include popular Java Integrated Development Environments (IDEs).

AppScan DE 1.7 expands on the capabilities of the version 1.5 product, adding support for popular IDEs such as IBM Corp.’s WebSphere Application Developer Studio, Borland Software Corp.’s JBuilder and Microsoft Corp.’s Visual Studio 6.0 development environments, in addition to the open source Eclipse environment, according to Sanctum.

AppScan DE version 1.5, released in February, adapted Sanctum’s AppScan testing technology for use by software developers.

Sanctum worked with Microsoft to integrate the 1.5 release to Microsoft’s Visual Studio .Net 2003 development environment, according to Steve Orrin, CTO of Sanctum. [See “Integration with Visual Studio smooths security,” February 18.]

The technology enables developers to unit-test individual components of Web applications to spot security vulnerabilities, comparing over compiled code against 10 categories of vulnerabilities taken from the list maintained by the Open Web Application Security Project (OWASP), an open source community project dedicated to improving Web application security, Orrin said.

For developers working in Java or Java 2 Platform Enterprise Edition (J2EE) development environments, AppScan DE 1.7 is installed as a plug-in.

While that means a less seamless integration than with the Visual Studio .Net environment, developers working in Java environments can still configure and run AppScan tests as well as review test results without leaving the development environment, Orrin said.

Like version 1.5, AppScan DE 1.7 can be used with Web applications written in any language common to IDEs, including C++, C#, VB, Java, EJB and HTML, Sanctum said.

While development tools for finding broken code or testing functionality are common, there are few competing tools for teasing security defects out of developer code, according to Orrin.

AppScan DE 1.7 is not foolproof, but it can spot problems that cause the majority of security failures in software products such as buffer overflows, cross-site scripting flaws and SQL injection vulnerabilities, he said.

While AppScan DE must be run against compiled objects such as source files and can’t yet be used to parse uncompiled code, the product can speed the security testing process by identifying specific vulnerabilities and pointing to the affected files and the parameters touched by a problem, Orrin said.

When problems are found, AppScan can also recommend fixes and offer sample code that will resolve the problem, he said.

Sanctum’s move into the market for development tools meets a pressing need as software companies and consumers push for more securely designed products, according to analyst Pete Lindstrom of The Spire Group.

Pushing application scanning technology further down into the development cycle can save companies money, compared with fixing the problem after the software product is fully developed or, even worse, patching the problem across an entire customer base once a product has been released to the public, Lindstrom said.

Despite the fact that AppScan DE is one of only a few security testing tools for IDEs, the product’s relatively low cost and small profit margin mean that it is unlikely that Santa Clara-based Sanctum will abandon the competitive firewall market to focus on development tools, Lindstrom said.

Version 1.7 of AppScan DE is available immediately for a retail price of US$1495. It is available for $995 from Sanctum’s online store through August 1, 2003.