Watchfire: Is Your Site Seaworthy?

By Baselinemag  |  Posted 2005-03-07 Print this article Print

Watchfire helps companies identify security vulnerabilities in their Web sites.

Watchfire's mission is to make sure a Web site won't be looted by pirates—or sink because the crew failed to make it watertight—as it sails the Internet's oceans.

The company started nine years ago with a simple tool that found Web links that pointed to nonexistent pages. Now a 200-employee company, Watchfire has moved beyond fixing broken links to offer software and services that monitor a slew of potential problems with a company's sites.

Its products can discover, for example, whether a site fails to meet government privacy regulations or if it's susceptible to someone stealing customer data using a hack that exploits a vulnerability in the way certain databases deliver packets of information to Web applications. "If you have hundreds of thousands of Web pages, there's no way you can be sure they're conforming to policies or standards except by using automated tools such as those from Watchfire," says Brian Tretick, a principal with Ernst & Young who has used Watchfire products to analyze clients' security and privacy practices.

What's not so great about Watchfire? Customers say its pricing is inflexible. Analog Devices, a semiconductor maker in Norwood, Mass., pays $108,000 per year for WebXM Quality, which scans 300,000 pages and provides 36 reports on such areas as page-loading times. Janelle Oveson, Analog Devices' e-business manager, says WebXM is "a proven tool—it's reliable and it works." But she'd prefer to purchase reports à la carte, because her team doesn't use all of the product's features. "Their pricing is an all-or-nothing proposition," Oveson says.

Another caveat from customers: AppShield, the Web application firewall Watchfire obtained when it acquired Sanctum last year, is complex software and it can cause even an experienced technician to unintentionally cripple a Web site. That's because it allows only predefined behavior, so any Web applications written with nonstandard code may also be blocked.

"When we deployed AppShield, we thought we'd created all the right rules," says Jason Painter, network security engineer at laser equipment maker Coherent. "Then we turned it on and got complaints from our customers that the site wasn't working."

That's why it's important that a security expert analyze the results of Watchfire's site-scanning tools in collaboration with a site's Web developers, says Paul Petersen, security manager for international law firm Baker & McKenzie: "A security person alone probably wouldn't be able to interpret the results."


880 Winter St.,
Waltham, MA 02451
(781) 810-1450

Ticker: Privately held

Employees: 200

Peter McKay

President and CEO

Before joining the company in 2002, he was president of eCredit, a provider of online software for credit and collections companies. Also has served in management roles at Computer Associates and Parametric Technologies.

Michael Weider


Founded the company in 1996. He previously co-founded Quadrillion, a semiconductor-testing software company.


WebXM scans and analyzes a Web site to check for security holes, broken links and other technical problems. AppScan is a similar tool for testing the security of Web applications. AppShield is a firewall that lets only legitimate browser requests into a Web site.

Reference Checks

Jason Painter
Network Security Engineer
Project: Laser-equipment maker in Santa Clara, Calif., adopted AppShield in 2000; the software protects applications on 12 publicly accessible Web servers.

Analog Devices
Janelle Oveson
E-Business Manager
Project: The semiconductor maker uses WebXM Quality to scan its site's 300,000 dynamically generated Web pages.

Huntington National Bank
Larry Seibel
Dir., Information Security
(614) 331-8140
Project: Regional bank based in Columbus, Ohio, uses AppScan as part of its development process to to find security vulnerabilities in online banking programs and other Web applications.

George Prior
Principal Web Engineer
(202) 623-6462
Project: Consulting firm has used AppShield since late 2000 for a client in the government sector running Microsoft-based Web servers.

Baker & McKenzie
Paul Petersen
Security Manager
(312) 861-8800
Project: Chicago-based international law firm with 8,400 employees uses AppScan to analyze the structure of four client-facing sites and to check them for security vulnerabilities.

Bentley College
Traci Logan
(781) 891-3472
Project: Private college in Waltham, Mass., uses WebXM to test its 10,000-page site for broken links, browser incompatibility errors and other problems, as well as to check for noncompliance with various data accessibility and privacy laws.

Executives listed here are all users of Watchfire's products. Their willingness to talk has been confirmed by Baseline.

Revenue: $30M to $50M annual run rate
Funding to date: $42M
Investors: Altamira, Banc of America Equity Partners, Goldman Sachs, Kodiak Venture Partners, Polaris Venture Partners, RBC Dain Rauscher, Sprout Group

Coast Software, IBM, Kavado, Keynote Systems, Mercury Interactive, Microsoft, Segue Software, Teros, Vignette

Key Customers
Retail: Home Depot; Sears, Roebuck & Co.
Financial: AXA Financial, Bank of America, Charles Schwab, H&R Block, Wells Fargo
Pharmaceutical: GlaxoSmithKline, Merck, Novartis, Wyeth Pharmaceuticals
Manufacturing: ChevronTexaco, John Deere, Procter & Gamble

Company Milestones
1996 Founded as Tetranet Software in Kanata, Ontario
1999 Changes name to Watchfire
2001 Receives $25M in second-round funding
2002 Names Peter McKay president and CEO
2004 Acquires Web security software vendor Sanctum
Sources: Company reports, Baseline research


Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.