Sanctum, Inc. has released a new version of its AppScan Web application vulnerability scanning tool that it says offers improved performance, new customization features and greater accuracy than previous versions.

AppScan 2.5 complements Sanctum's other main product, AppShield. AppShield is used to protect production Web applications from hackers attempting to break into a network, deface Web pages, change prices or perform other attacks. AppScan, on the other hand, is used before an application is deployed to detect the vulnerabilities in application code that hackers might be able to exploit.

AppScan uses a scanning method whereby the tool mimics a hacker, says Diane Fraiman, VP of marketing at Sanctum, based in Santa Clara, Calif. AppScan crawls through a site, analyzes the content and "learns" what each application is intended to do, including the values it expects from fields that end users fill in. Working against Sanctum's knowledge base of known vulnerabilities, AppScan then determines all the potential vulnerabilities each application may be susceptible to. It then tries to exploit each of the vulnerabilities to determine which are actual problems. Finally, AppScan creates a report detailing its findings, with recommendations on how to correct the problems it finds.

The tool can scan applications externally, through firewalls. New with Version 2.5 is an offline analysis capability that enables AppScan to perform a Web scan, but handle the analysis and reporting function later, in an offline mode. This feature is targeted at users such as consultants.

Version 2.5 is more accurate than previous versions, with less than 1% false positive findings, Fraiman says. This accuracy comes from the expanded knowledge base that Sanctum has built during its more than three years in the field and 300 ethical hacks, she says.

The new version is also more efficient to use, with features such as an automated form-filler and user-defined filtering mechanisms that speed analysis. Sanctum claims Version 2.5 delivers a 500% improvement in efficiency compared with manual audits. Included in the new tool is a return-on-investment calculator that helps companies determine what they will save vs. a manual audit.

Varying levels of reports make the product suitable not only for highly skilled security auditors but also for developers with little security knowledge. "That's who companies want to use it, to drive quality assurance down the chain," Fraiman says.

AppScan is priced on an annual subscription basis, with prices starting at $15,000 per user. A five-user package costs $50,000. AppShield end-user pricing starts at $15,000 per server. Prices vary for auditor versions.