Today I want to tell you about this serious program from serious guys from IBM corporation.
It is widely told on OWASP site that you should or better - must use programs for automated testing of you application to make sure that you or your QA team didn't miss something.
Our company has one of the best QA teams in Ukraine and maybe not only (as for my mind), but anyway no one can exclude human factor in application testing, that's why you need a program that WILL check every link for any possible vulnerability after each even minor code change.
I've recently tried trial version of "IBM Rational Appscan" software. I hoped that it will check at least part of our application that we are developing and then will tell us that we need full version to check through the whole site but... they are really serious guys in IBM :) and program allowed to test only their special test site.
What can I say about results and it's overall work. I'm pleased and even shocked. Program made more than 15 000 tests for that small site. I just wonder how much time would it take for QA to test it with the same number of tests?! For Rational Appscan it took a little more than half an hour. It found several XSS's, server-side issues, hidden folders and so on.

Conclusion: Program is must-have one! Will it replace QA's work? Definitely not :) It's a great addition for their work, for them to focus on bugs that this program can not find like first of all - logical and also design, spelling and cosmetic ones.

...and one thing that you definitely won't like in this program is it's price :) IBM Rational AppScan Express Edition costs now $18 000 for one year license.
I just wonder if all those Application Security companies that ask about the same sum of money for checking your site use this program :) Interesting idea as for me.