Professional Documents
Culture Documents
AppScan Solution Overview PDF
AppScan Solution Overview PDF
SOLUTION OVERVIEW
Sergio López
15 June 2016
IBM Application Security Framework
Application Security Management
3 IBM Security
Automated Dynamic Analysis (“Black Box” Testing)
altoro.com
/
altoro.com/feedback.jsp
altoro.com/logout.jsp
altoro.com/editProfile.jsp
Identify Vulnerabilities
4 IBM Security
Automated Static Analysis (“White Box” Testing)
DoPost() { DoPost
String username =
request.getParameter("username");
String password =
request.getParameter("password");
GetParam
String query = "SELECT * from tUsers where
Compile & Translate
" + "userid='" + username + "' " + "AND
password='" + password + "'";
Str.Append
ResultSet rs = stmt.executeQuery(query);
}
ExecuteQuery
DoPost DoPost
Source
GetParam GetParam
5 IBM Security
IBM AppScan Ecosystem
SECURITY
AppScan Enterprise
6 IBM Security
IBM Security Systems AppScan Suite
7 IBM Security
What Is AppScan Source Edition?
A static code analysis security testing solution White Box Scanning
with centralized control of security policies
8 IBM Security
AppScan Source Supported Languages
9 IBM Security
AppScan Source Architecture
10 IBM Security
Security Analyst & Developer Interfaces
Vulnerability Groups
Priority Matrix
Easy to Read
Trace
CWE Link
Taint
Assignments Detailed Help
Exact Injectable
Variable
12 IBM Security
AppScan Standard: Desktop solution combines advanced security testing,
broad technology coverage and ease of use
Web Application Assessments for Pen-Testers and Security Practitioners
Dynamic Analysis (black box)
Covers all relevant OWASP & Web 2.0 and Rich Internet Web Services/ SOA
WASC TCv2 threat classes Applications – SOAP/XML parser issues
– SQL Injection – JavaScript & Ajax (External entities, XML
blowup, etc.)
– Cross-Site Scripting – Adobe Flash & Flex
– Application-layer issues
– HTTP Response Splitting Malware analysis – Infrastructure issues
– OS Commanding – Scan site with malware
– LDAP Injection analysis from IBM X-Force Hybrid Technology
– XPath Injection Security Research
– Buffer Overflows Runtime Analysis (glass box
– 1000s more testing)
– Expanded threat coverage
Ease of Use with less configuration
– Precise results (line of
Configure & test Integrate with Defect Tracking
code) assist remediation
– Scan Expert provides Systems
recommended settings – Rational® ClearQuest JavaScript Security Analyzer
based on your apps – HP Quality Center – Static taint analysis of
client-side JavaScript
Details & guidance to correct Compliance & Reporting
the vulnerability – 40+ compliance reports
– Explanation of threat and – Executive-level summaries
recommended fix – Guidance for development
13 IBM Security
AppScan Standard: Desktop solution combines advanced security testing,
broad technology coverage and ease of use
Web Application Assessments for Pen-Testers and Security Practitioners
14 IBM Security
What Is AppScan Enterprise Server?
Benefits:
Provides centralized DAST capability
15 IBM Security
AppScan Enterprise – Application Security Governance & Risk
Management
• Dashboards
• Non-compliance Risks (40+ reports)
16 IBM Security
Application Security Inventory
18 IBM Security
THANK YOU
FOLLOW US ON:
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.