IBM recently demo’d AppScan Developer Edition to a few of us. There used to be a DE edition of AppScan some time ago, but that was more of a scaled down version of the standard version, allowing only localhost scanning and a subset of tests. The new DE is different in what it does.
Typically, AppScan is a black-box testing tool. This means that it does not use any of the source code and sees the web application just as any user would. The problem with this type of test is that there is no guarantee that all the code will be covered. Indeed, there is a very high probability that a lot of code will not be exercised at all. The DE version tries to make the testing more comprehensive by performing static code analysis (white-box testing) also.
One of the good things that DE provides is that once vulnerabilities are identified, it can provide a mapping between the black-box test issues and the white-box test issues. In other words, if a cross-site scripting vulnerability is identified using a black-box test, you can actually trace the problem to the actual source code causing the problem instead of the developer trying to figure out where the problem is based on the URL. This can be a huge time-saver for developers under the gun to deliver on time. In my opinion, this is a huge plus.
One of the things that we were told was that this version uses a technique called String Analysis, which is supposed to reduce false positives. The number of tests seems to have been sacrificed for the benefit of better and more accurate results. While this may sound like a negative, it is actually positive. Most people using scanning tools are usually overwhelmed by the number of results and the false positives that are reported. By only performing tests that IBM is sure about, the false positives are greatly reduced. When the person running the scan looks at the report, he/she can be reasonably sure that it is a real problem.
The interface seems clean and straight forward, continuing the tradition of the all the other versions of AppScan. The DE version works as a plugin to an IDE such as Eclipse. Support for more IDEs are reportedly on the roadmap. I would have liked to see some more reporting options such as compliance reports etc. With PCI compliance becoming more of an issue, I would want to know as early as possible if my code is compliant or not. It will also be good to get some real data on the performance characteristics such as scanning speed, memory usage and accuracy of results.
Off Track: It was interesting to find out that most of the people that I have spoken with at IBM and previously Watchfire had at the most worked with AppScan for about 12 to 18 months. I have been working with the product since version 2.0 when it used to be on debian linux (late 2001 if I am correct )