Watchfire Joins IBM, Focuses on Microsoft
Watchfire Corp. official says .NET focus will continue following sale to IBM Corp.
The top security researcher at vulnerability-testing vendor Watchfire Corp. wants to assure the firm's many .NET customers that although it's now part of Big Blue, Watchfire will still focus on securing Web apps built on Microsoft's platform.
IBM Corp. completed its purchase of Watchfire late last month and has announced plans to embed Watchfire's security-testing technology into IBM's Rational software quality-management tools. But Danny Allan, Watchfire's director of security research, says the formerly privately held company's AppScan tool for automating Web application scanning will continue to sell as a standalone product.
Not Just for Java
"We have a developer edition that plugs into Visual Studio. We're about Web application security, and we're not going to be just about Java in any way," Allan says. "Our enterprise platform runs on a Microsoft platform, and we're not moving away from those roots."
Meanwhile, Allan sees IBM's purchase of Watchfire as a kind of touchstone confirming that Web application-scanning technology now has a firm toehold in the enterprise.
In a research report published in May before the deal was announced, Relevant Technologies President Laura Taylor praised Watchfire's technology and speculated -- presciently, as it turns out -- that the firm might be snapped up by one of a handful of heavy-hitters, including IBM.
"For developers, AppScan has a unique capability that allows you to move from a Security Issues view to a Remediation Tasks view," Taylor wrote. "The former view is for the person responsible for uncovering the vulnerabilities. However, with a single mouse click the latter provides a straightforward list of security development tasks."
New and Improved
The newest desktop version of the tool, AppScan 7.6, shipped late last month with several improvements, including better support for AJAX, Watchfire's Allan says. AppScan Enterprise is designed to scale up for large deployments and to be integrated into a dev shop's secure development lifecycle.
"We can begin right back as you build the security requirements in the design stage. We can plug into that process as you develop," Allan says.
AppScan security updates are issued twice a week and are based on information gleaned from security mailing lists, uncovered by Watchfire's research team or reported by customers.
"There are still those apps where I see vulnerabilities that I shake my head at," Allan says. "But I've seen a trend in the decrease of foolish bugs, and I attribute that to people writing in .NET."