IBM AppScan

SOLUTION OVERVIEW

Sergio López

15 June 2016
 IBM Application Security Framework
Application Security Management

Asset Business Impact Vulnerability Status and Progress Compliance

Inventory Assessment Prioritization Measurement Determination

Test Monitor and Protect

Applications in Development Deployed Applications

Mobile Database Web Mobile

Dynamic Static Interactive Application Intrusion Activity Application Application
Analysis Analysis Analysis Analysis Prevention SIEM Monitoring Firewall Protection

Utilize resources effectively to identify and mitigate risk

2 IBM Security
 Finding More Vulnerabilities Using Advanced Techniques
Dynamic Analysis
Total Potential
̶ Analyze Live Web Application
Security Issues
̶ Use during testing
Static Analysis
̶ Uses HTTP tampering
̶ Analyze Source Code
̶ Use during development
̶ Uses Taint Analysis /
Pattern Matching
Hybrid Analysis
̶ Correlate Dynamic and Static
results
̶ Assists remediation by
identification of line of code

Run-Time Analysis Client-Side Analysis

̶ Combines Dynamic Analysis with ̶ Analyze downloaded Javascript
run-time agent code which runs in client
̶ More results, better accuracy ̶ Unique in the industry

3 IBM Security
 Automated Dynamic Analysis (“Black Box” Testing)
altoro.com
/
altoro.com/feedback.jsp

Crawl Site altoro.com/login.jsp

altoro.com/logout.jsp

altoro.com/editProfile.jsp

Identify Vulnerabilities

4 IBM Security
 Automated Static Analysis (“White Box” Testing)
DoPost() { DoPost
String username =
request.getParameter("username");
String password =
request.getParameter("password");
GetParam
String query = "SELECT * from tUsers where
Compile & Translate
" + "userid='" + username + "' " + "AND
password='" + password + "'";
Str.Append
ResultSet rs = stmt.executeQuery(query);
}
ExecuteQuery

DoPost DoPost
Source

GetParam GetParam

Str.Append Apply Vulnerability Rules Str.Append

Sink
ExecuteQuery ExecuteQuery

5 IBM Security
 IBM AppScan Ecosystem
SECURITY

REQUIREMENTS CODE BUILD QA PRE-PROD PRODUCTION

AppScan Enterprise

Security AppScan Source

Requirements Source for AppScan & QA AppScan Standard AppScan Standard
Definition Automation SW Integrations
Security Build security Automate Security / Security / compliance Security & Outsourced testing
requirements defined testing into the IDE Compliance testing testing incorporated into Compliance for security audits &
before design & in the Build Process testing & remediation Testing, oversight, production site
implementation workflows control, policy, monitoring
audits

Application Security Best Practices – Secure Engineering Framework

6 IBM Security
 IBM Security Systems AppScan Suite

7 IBM Security
 What Is AppScan Source Edition?
A static code analysis security testing solution White Box Scanning
with centralized control of security policies

Allows organizations to create, distribute and

enforce consistent security policies

Provides automated security testing by

seamlessly integrating security source code
analysis into the build process

̶ Ounce Labs, Summer 2009 IBM adquisition

̶ Eclipse/Visual Studio-based
̶ Reporting capabilities
̶ Build Automation
̶ Defect Tracking System integrations

8 IBM Security
 AppScan Source Supported Languages

Static Analysis Security Testing – White Box

Vulnerability Types Supported Languages Supported Frameworks
– WASC – Java, JSP – PERL − Struts
– OWASP Top Ten – C, C++ – ColdFusion − Spring MVC
– SQL Injection – Classic ASP – Client-Side − Java Server Faces
– Cross-Site Scripting − EJB
(VB6) JavaScript − .NET
– Exposed Credentials – C#, VB.NET, – Server-Side − etc
– Injection ASP.NET (VS JavaScript − Extensible, customizable
– Path Traversal 2010, 2012, – VBScript
– URL Redirect 2013, 2015) – PL/SQL
– Access Control – COBOL – T-SQL IBM Worklight Integration
– DOS – PHP (v5.3, v5.4)
– Error Handling
– Privacy Native Android & iOS (iOS 8 & Xcode supported) Objective-C
– etc IBM Worklight Integration

Data Flow Analysis Pattern Based Analysis

9 IBM Security
 AppScan Source Architecture

10 IBM Security
 Security Analyst & Developer Interfaces
Vulnerability Groups
Priority Matrix

Easy to Read
Trace

CWE Link

Taint
Assignments Detailed Help
Exact Injectable
Variable

Issue in Source Code

11 IBM Security
 What Is AppScan Standard Edition?
Black Box Scanning
AppScan Standard Edition software scans and
tests for vulnerabilities and security defects
with a desktop solution.

Delivers advanced web application security

testing, broad coverage of the latest Web 2.0
technologies and ease of use for clients to get
fast, reliable results.

Identifies web application vulnerabilities

including all relevant WASC TCv2 threat
classes, such as SQL-Injection, Cross-Site
Scripting and Buffer Overflows.
Benefits:
Includes advanced testing utilities to expand custom security testing by
combining the power of AppScan with PyScan scripts for more powerful and
more efficient manual testing

Generates advanced remediation capabilities including a comprehensive task list

to ease vulnerability remediation
Simplifies security testing for non-security professionals by building scanning
intelligence directly into the application

12 IBM Security
 AppScan Standard: Desktop solution combines advanced security testing,
broad technology coverage and ease of use
Web Application Assessments for Pen-Testers and Security Practitioners
Dynamic Analysis (black box)
Covers all relevant OWASP & Web 2.0 and Rich Internet Web Services/ SOA
WASC TCv2 threat classes Applications – SOAP/XML parser issues
– SQL Injection – JavaScript & Ajax (External entities, XML
blowup, etc.)
– Cross-Site Scripting – Adobe Flash & Flex
– Application-layer issues
– HTTP Response Splitting
Malware analysis – Infrastructure issues
– OS Commanding – Scan site with malware
– LDAP Injection analysis from IBM X-Force Hybrid Technology
– XPath Injection Security Research
– Buffer Overflows Runtime Analysis (glass box
– 1000s more testing)
– Expanded threat coverage
Ease of Use with less configuration
– Precise results (line of
Configure & test Integrate with Defect Tracking
code) assist remediation
– Scan Expert provides Systems
recommended settings – Rational® ClearQuest JavaScript Security Analyzer
based on your apps – HP Quality Center – Static taint analysis of
client-side JavaScript
Details & guidance to correct Compliance & Reporting
the vulnerability – 40+ compliance reports
– Explanation of threat and – Executive-level summaries
recommended fix – Guidance for development
13 IBM Security
 AppScan Standard: Desktop solution combines advanced security testing,
broad technology coverage and ease of use
Web Application Assessments for Pen-Testers and Security Practitioners

14 IBM Security
 What Is AppScan Enterprise Server?

A centralized solution for Web application

security testing & assessments
Provides detailed and high-level reports
of identified security issues
Enables Security specialists to
communicate identified issues to
Development and Management

Benefits:
Provides centralized DAST capability

Provides visibility of security and regulatory compliance

risk

Enables communication and collaboration among

different stakeholder

15 IBM Security
 AppScan Enterprise – Application Security Governance & Risk
Management

Scalability & Control

• Assess 1000s of applications

• Engage more testers
• Manage permissions, test policies, user roles
and access control

Visibility & Compliance

• Dashboards
• Non-compliance Risks (40+ reports)

Measure & Improve

• KPIs
• Trending

16 IBM Security
 Application Security Inventory

• Applications Summary & Details • Create/Import/Remove Applications

• Search Filters • Security Tests Status Summary & Details

• Application list and risk associated

17 IBM Security
 What Is Our Application Security Status?
What are the most common mistakes
Which applications present the developers make?
highest risk?

How many applications have we

assessed?
Which vulnerabilities should we fix
first?

Which are our most

important applications?

18 IBM Security
THANK YOU
FOLLOW US ON:

ibm.com/security

securityintelligence.com
xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.