Watchfire Introduces AppScan QA; New Edition Incorporates Crucial Quality Assurance Audience into Web Application Security Testing

New Version of AppScan Includes Enhanced Integration with HP's Quality Center and Debuts New Integration with IBM Rational ClearQuest, Enabling QA Teams To Integrate Security As A Key Component Of Their Normal Testing Process

WALTHAM, MA - April 16, 2007 - Watchfire, the market leading provider of web application security software and services, today announced a new quality assurance edition of the Company's flagship product, AppScan®. AppScan® QA introduces the latest web application security testing to the QA cycle, with new and enhanced integration with the industry's most popular software quality management solutions-HP (formerly Mercury) Quality Center™ and IBM® Rational® ClearQuest®. This new release complements Watchfire's web-based enterprise platform - AppScan® Enterprise, a solution that enables organizations to scale application security testing into QA and development via a web-based system.

Online attacks are steadily increasing and few argue that web applications present today's most significant online security threat, highlighting the increased need for ongoing web vulnerability scanning. Overburdened security teams are looking for ways to scale security testing across the software development lifecycle. They are turning to QA and development teams, who are typically not security experts, to help fill the void. To be successful these groups need a simplified method of integrating security testing into their existing quality and performance testing environments. AppScan QA accomplishes this by providing a single solution that can unite QA, development and security teams under a common security testing process-to reduce the cost and effort required for QA testers to identify, understand and resolve security-related defects in web applications.

"Web application security is clearly a priority in today's market. Watchfire understands the need to make automated security testing a reality in QA, development and throughout the software development lifecycle, not just in the final audit or production stages where security professionals typically step in," said Michael Weider, founder and CTO of Watchfire. "AppScan QA simplifies web application security testing by integrating with the HP Quality Center™ and IBM® Rational® ClearQuest® environments, so QA professionals can easily run pre-configured scans to identify security defects and log them, with fix recommendations, in their existing system for QA interaction with development teams."

Instead of providing complex tools to QA teams and expecting them to master security testing with no formal processes and training, Watchfire supports the transition from security team to QA by giving QA the ability to work in their existing system and process, allowing for quick and seamless adoption.

Supporting Multiple QA Use Cases within IBM Rational ClearQuest and HP Quality Center
AppScan QA offers enhanced and seamless integration with HP Quality Center. AppScan QA reduces the cost of fixing security-related defects by integrating with the testing hosts of HP's Quality Center environment, allowing users to run tests (e.g. functional, load and security) from a single console. This helps QA teams enhance their test plans to integrate security as a key component of their normal testing process. AppScan works as a QA security testing engine and users are empowered with comprehensive security defect advisories, modification and maintenance processes-in addition to detailed fix recommendations-all in easy-to-understand QA language. New features and functionality include:

• Automatic test creating, modification and maintenance processes needed to test and act on remediation of security defects.
• Centralized control for QA/developers to store and share configurations and sessions; keep information on past runs; and see progress over time.
• Browser-based interface - scanning performed by testing hosts.
• Flexible interface - QA can choose to work within the browser-based interface, while those more comfortable working with AppScan can continue to use the solution for scan configuration, but have the tests stored and run within HP Quality Center.
• Produces detailed security defect advisories for QA personnel.
• Produces detailed defect definition for development team to allow them to quickly and thoroughly solve the problem.
• Scales to any size QA team, leveraging HP Quality Center distributed model.
• Easy administration with fast deployment, centralized control and workload distribution within existing QA systems.

Watchfire has already attained "Ready for IBM Rational software" validation for its integration of AppScan® Enterprise with IBM Rational ClearQuest. This integration enables development, QA and security teams to work together using ClearQuest as a common defect tracking system that integrates seamlessly with Watchfire's web-based enterprise security solution. This ClearQuest integration provides:

• Automatic test creating, modification and maintenance processes needed to test and act on remediation of security defects.
• Centralized control for QA/developers to store and share configurations and sessions; keep information on past runs; and see progress over time.
• Browser-based interface - scanning performed by testing hosts.
• Produces detailed security defect advisories for QA personnel.
• Produces detailed defect definition for development team to allow them to quickly and thoroughly solve the problem.
• Scales to any size team.

Harness the AppScan Engine with AppScan eXtensions
Watchfire has introduced a new QA Defect Logger eXtension, which pushes selected security defects from AppScan to customers' QA systems simply by right-clicking an issue to open a defect ticket. The tickets include all required defect information (fix recommendation, request/response, etc.) and can be edited as appropriate before sending. This new capability further expands the QA process by including gating by the security team. Users can install a plug-in to AppScan that pushes identified security issues as a defect into either the IBM Rational ClearQuest or HP Quality Center solutions.

AppScan eXtensions Framework (AXF) allow users to extend the AppScan feature set. AXF gives users the ability to create anything from a minor utility that performs simple tasks, to a full blown application that performs many complex actions, all based on AppScan data or functionality. By leveraging the potential that AXF provides, users can customize AppScan to meet their exact needs by using or creating their own eXtensions. Watchfire also introduced the AppScan eXtensions Framework community website today as an online destination for users to facilitate collaboration and sharing of extensions.

AppScan QA provides automation to deliver predictive, reliable results, code-level fix recommendations, advanced reporting capabilities, and the ability to output results to all standard defect tracking and analysis/management systems.

"AppScan QA applies standardized testing and collaboration functions throughout development, and gives QA teams the ability to make security a core component of application quality without requiring an additional skill set," added Weider. "By delivering an integrated product that is easy for QA to use, we not only help significantly minimize security vulnerabilities and business risk, but with the value of fixing security defects early in development pegged at seven times less costly than testing after development, we're improving development efficiency and reducing overall costs as well."

Watchfire Gives Users Full Power and Control of AppScan Engine
The AppScan eXtensions community was introduced as part of Watchfire's corresponding announcement of AppScan 7.5, which was also released today. AppScan 7.5 introduces AppScan eXtensions Framework™, to harness the power of Watchfire's application scanning engine. Coupled with Pyscan, an integration of AppScan and Python® Scripting, AppScan 7.5 is the most flexible and powerful web application scanning solution on the market; security professionals and developers can now customize, extend and create their own products that use the solution's core technology to accomplish specific security-related tasks.

About Watchfire
Watchfire is the leading provider of web application security software and the only company to offer an end-to-end solution including intelligent fix recommendations to evaluate, understand and resolve issues. More than 800 enterprises and government agencies, including AXA Financial, SunTrust, HSBC, Vodafone, Veterans Affairs and Dell rely on Watchfire to identify, report and help remediate security vulnerabilities. Watchfire has been the recipient of several industry honors including: winning an unprecedented three out of five 2007 SC Magazine Excellence Awards (including Best Security Company); the HP/IAPP Privacy Innovation Award; Computerworld's Innovative Technology Award; winner of the Dr. Dobb's 2007 Jolt Product Excellence Awards; and "Recommended" rating by Computer Reseller News. For two years in a row, Watchfire has been named by IDC as the worldwide market share leader in web application vulnerability assessment software. Watchfire's partners include IBM Global Services, Fortify, PricewaterhouseCoopers, Sapient, Microsoft, Interwoven, EMC Documentum and Mercury. Watchfire is headquartered in Waltham, MA. For more information, please visit www.watchfire.com.