Sanctum boosts tests, reports in AppScan 3.0

Sanctum announced version 3.0 of its AppScan application security audit tool Monday, adding a bundle of enhancements to the product's testing and reporting features, as well as boosting its performance.

AppScan performs automated tests on applications to determine if they are vulnerable to both known and unknown security vulnerabilities, said Diane Fraiman, vice president of marketing at the Santa Clara, California, Sanctum. AppScan follows what the company calls a "positive security model," testing its applications to ensure that they do only what they're intended to, as opposed to preventing all unintended actions, she said. The program is designed to be used as part of the application development process so that vulnerabilities can be caught before the software is deployed, she added.

As security is becoming an increasingly hot topic, application security specifically is also gaining ground, she said.

"There's a very concerted effort to try to drive application security across the application development life cycle" among software auditors and developers, she said.

The new version of AppScan gives developers and auditors a new set of tools to attempt to ferret out those security risks. The program's performance has been boosted and its scanning options broadened, she said. Application scans can now be performed collaboratively, with different tasks assigned to different testers, even those located at separate sites, she said. Scans are also now savable, so that they can be rerun to verify results and test updates and modifications to determine whether vulnerabilities have been eliminated, she said.

AppScan 3.0 also sports a number of user interface enhancements in both the scanning and reporting sections of the program, she said. Because version 3.0 now runs on Windows 2000, broadening its platform support beyond Linux, the software has inherited some of the user interface benefits of the Windows interface, she said. Also added is contextual help, designed to aid the beginning or nonexpert user, she said.

Reporting has been bolstered in the new version with new ways of viewing and presenting reports, as well as by offering more detailed information, Fraiman said. Reports generated by AppScan 3.0 offer new data filters, new ways to sort the data, deeper detail, new highlights, fonts and more, she said.

AppScan 3.0 also improves accuracy over previous versions, with Sanctum claiming less than 1 percent false positives returned and adding tests for HTTP (Hypertext Transfer Protocol) header and request testing, Fraiman said.

The ease of use and accuracy of AppScan 3.0 are major selling points for Oren Ariel, chief technology officer of managed services at Mercury Interactive Corp. in Sunnyvale, California. Mercury provides application-testing services that check programs for their scalability, load-bearing, functionality and performance, Ariel said.

Mercury is investigating application security testing products from a number of companies, including Sanctum, Kavado Inc. and Spi Dynamics Inc., in order to test its own applications for security problems, he said.

"There's a good environment out there for people to incorporate security audits into their (quality assurance cycle)," Ariel said.

The company is seeking an easy to use, accurate tool that can be employed by nonexpert users, he said.

"The Sanctum product does an excellent job of doing just (those things)," he said, adding that Mercury has not yet determined which product it will purchase.

Ariel expects that as application security becomes more ingrained at companies, application security products will become commonplace tools.

"This is an evolution," he said.

AppScan 3.0 will be available in early May in the U.S. and Europe and by late summer in Japan, Sanctum's Fraiman said. The product is sold on a subscription basis, with maintenance updates released about once a month and more major updates offered every eight to 10 weeks, she said. End-user licenses cost US$15,000 per year for one user and licenses for auditors are priced depending on tasks and sold in 30-day packages, she said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sam Costello

Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?