ITWorx standardizes on IBM Rational AppScan Standard Edition software to deliver security-rich applications to its customers worldwide.

ITWorx is one of the largest software professional services companies in Egypt. Offering business intelligence solutions and portal development, service-oriented architecture (SOA) and application development out-sourcing services to Global 2000 companies, ITWorx serves financial services companies, educational institutions, telecommunications operators and independent software vendors in North America, Europe and the Middle East.

The company has been successful in large part because of its ability to deliver high-quality solutions and its keen understanding of marketplace trends. While these trends vary from continent to continent, application security is a universal requirement. To provide the best solutions for its customers, ITWorx made a strategic decision to build security into its soft-ware development processes from the ground up to help it deliver products that can withstand ever-changing security threats.

Delivering more than 300 applications per year
Outsourcing application development— including Web applications—is often a logical choice for companies that want to save time and money. By deliv-ering more than 300 applications to its customers each year, ITWorx allows its customers to focus on their core business rather than on software devel-opment. But to protect its reputation and stay competitive in the global market-place, ITWorx needs to be sure that the applications it develops are free of the security vulnerabilities that could poten-tially expose its customers’ confidential and sensitive data. And given the sheer volume and diversity of its customer base, ITWorx needed to streamline its application security testing.

After a thorough evaluation of a number of Web application security scanners in the marketplace, ITWorx decided to implement AppScan software to auto-mate security testing on the hundreds of Web applications it develops and deploys each year. The company chose AppScan because of its strong leadership position and its ability to automate the many tasks that ITWorx had previously performed manually.“My decision to select AppScan was based on many factors,” says Dr. Tarek Nabhan, product division manager for ITWorx. “We found that AppScan detected more vulnerabilities than any other product, and its customizable capabilities were the easiest for our in-house developers and QA staff to use.”

Greater flexibility leading to increased productivity
In the past, ITWorx’s engineers lost hours of productive time because their previ-ous scanning solution was so inflexible. However, AppScan software allows ITWorx to perform numerous tests and scans on their own schedule, and even stop and start scans in the middle of the process. “We found AppScan to be the most flexible of all of the products on the market,” says Dr. Nabhan.

The AppScan reporting features are customizable and can be used by manag-ers, developers, quality assurance (QA) engineers, system managers and other security professionals at ITWorx. The application’s reporting options include streamlined, URL-based reports as well as industry standard reports such as Open Web Application Security Project (OWASP), the SysAdmin, Audit, Network, Security (SANS) Institute Top 20 and Web Application Security Consortium (WASC) stan-dards. In addition, a filter allows users to choose between application-related issues, infrastructure issues or both.

In addition to general site security-related capabilities, AppScan offers ITWorx a comprehensive set of compliance-related features, including templates and reports that address issues related to Sarbanes-Oxley, Children’s Online Privacy Protection Act (COPPA), Electronic Fund and Transfer Act (EFTA), Exchange and Securities Act, Federal Information Security Management Act (FISMA), MasterCard Site Data Protection Program (SDDP), Payment Card Industry (PCI) Data Security Standards Act, Privacy Act of 1974, and Visa Cardholder Information Security Program (CISP) requirements.

Streamlined testing procedures
Soon after the AppScan software was installed, ITWorx was able to streamline its security scanning processes significantly. Using the solution’s comprehen­sive reporting capabilities, teams can easily detect suspected vulnerabilities and address the issue on the spot. The company’s engineers no longer have to sift through long reports that overwhelm them with data. The AppScan software makes it easy for developers to pinpoint the problem and take advantage of concise, plain-language test results. The application also gives clear explana­tions of the offending code, as well as remediation suggestions. Before the company deployed AppScan, all applications had to be scanned and addressed manually. Now, QA teams at ITWorx can scan deliverables as needed, and they feel confident relying on the reporting features for quick reference.

Because of the high volume of testing performed at ITWorx, the company has been relying on support from the IBM Rational team to help it establish best practices. “The response from the support professionals at IBM has been great. Turnaround is quick and the answers are always accurate,” says Dr. Nabhan. “We are very pleased with AppScan and see its use not only as a competitive differentiator but also as a key piece of our offering.”

For more information
To learn more about IBM Rational AppScan software, contact your IBM representative or IBM Business Partner, or visit:ibm.com/software/rational/offerings/testing/webapplicationsecurity