Watchfire Corp. has clearly taken the safe but smart position for its first release of the AppScan products it gained from its acquisition of Sanctum Inc., making no major changes to the award-winning product for testing the security of Web applications.

That's not to say there aren't worthwhile new features in AppScan Audit 5.0, which gains improved scanning and attack simulation features that will help developers find potential security holes and mistakes in their Web applications.

Other new features in AppScan Audit 5.0 make it easier to interactively record actions to use in testing while browsing through Web applications and more detailed and varied reporting options.

eWEEK Labs believes that companies should consider upgrading to AppScan Audit 5.0, which shipped last month, mainly because of its improved attack simulation and testing capabilities.

As in most previous versions, AppScan Audit 5.0 runs only on Windows systems, although it can test Web applications running on any platform. Pricing for AppScan Audit 5.0 starts at $15,000 for a yearly subscription.

Users of the previous version of AppScan will feel right at home after launching Version 5.0, with no obvious differences in the interface other than the Watchfire logos. However, users of the three custom scan options will see several new features.

One of the more welcome new features made it possible to interactively fill out form information in our applications, then have AppScan Audit 5.0 map it to our test scripts and save the information for future tests. While this seems like a simple option, it proved to be a big timesaver, especially in larger Web applications.

As with previous versions, we would still welcome the ability to create and edit test scripts directly from a source code editor.

Once a scan of a Web application begins, AppScan Audit 5.0 can be much more aggressive than previous versions in simulating attacks and ferreting out potential security problems in the application. The tool can now learn from initial scans of an application and can find new links and portions of the application to test for security problems. It can also simulate attacks that require multiple steps, such as SQL injection, and can listen as a server for attacks that send information from the Web application.

However, while these new attack methods improve the product's testing capabilities, they also mean that users will need to put in a significant amount of time upfront to tune the testing parameters. This tuning time is necessary in order to cut the number of false positives and eliminate unnecessary tests that search for problems that can't affect specific Web applications.

Click here to read eWEEK Labs' review of three Web application testing suites.

A new custom filtering feature did give us more power to limit false positives in application-specific security tests. Using this feature, we could define to AppScan what our application error pages looked like and could make sure that when AppScan encountered them, it would not list the result as a vulnerability.

The always-good reporting options in AppScan have seen some small but welcome improvements, including the ability to perform more detailed trend analysis testing over time and even test the same application on different hosts (which is useful for testing staging versus live servers).

AppScan Audit 5.0 includes canned reports to show if an application is conforming to a number of regulatory standards, including the Health Insurance Portability and Accountability Act and the Federal Information Security Management Act.

Labs Director Jim Rapoza can be reached at jim_rapoza@ziffdavis.com.

This article was first published on eweek.com.