IBM AppScan - the total software security solution
-
Upload
vietsoftware-international-inc -
Category
Software
-
view
130 -
download
6
Transcript of IBM AppScan - the total software security solution
IBM AppScanThe total security solutionThuc X.Vu <[email protected]>
Reseacher, founder of IoT and Data processing LabsVietsoftware International Inc.Website: http://labsofthings.com/
IBM AppScan Solution2 Vietsoftware International Inc.
Agenda
Introduction to security
Best Practices for Application Security
IBM AppScan security solution
DEMO
IBM AppScan Solution3 Vietsoftware International Inc.
Introduction to security
Desktop Transport Network Web Applications
AntivirusProtection
Encryption(SSL)
Firewalls /IDS / IPS
Firewall
Web ServersDatabases
BackendServer
ApplicationServers
Info Security LandscapeInfo Security Landscape
IBM AppScan Solution4 Vietsoftware International Inc.
Hackers Exploit Unintended Functionality to Attack Apps
Intended Functionality
Unintended Functionality
Actual Functionality
IBM AppScan Solution5 Vietsoftware International Inc.
01/01/2006 union select userid,null,username+','+password,null from users--
Application responds with user names and passwords of other account holders!
IBM AppScan Solution6 Vietsoftware International Inc.
Application Threat Negative Impact Example Impact
Cross Site scripting Identity Theft, Sensitive Information Leakage, …
Hackers can impersonate legitimate users, and control their accounts.
Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system
Hackers can access backend database information, alter it or steal it.
Malicious File Execution Execute shell commands on server, up to full control
Site modified to transfer all interactions to the hacker.
Insecure Direct Object Reference Attacker can access sensitive files and resources
Web application returns contents of sensitive file (instead of harmless one)
Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user
Blind requests to bank account transfer money to hacker
Information Leakage and Improper Error Handling
Attackers can gain detailed system information
Malicious system reconnaissance may assist in developing further attacks
Broken Authentication & Session Management
Session tokens not guarded or invalidated properly
Hacker can “force” session token on victim; session tokens can be stolen after logout
Insecure Cryptographic Storage Weak encryption techniques may lead to broken encryption
Confidential information (SSN, Credit Cards) can be decrypted by malicious users
Insecure Communications Sensitive info sent unencrypted over insecure channel
Unencrypted credentials “sniffed” and used by hacker to impersonate user
Failure to Restrict URL Access Hacker can access unauthorized resources Hacker can forcefully browse and access a page past the login page
The OWASP Top 10
IBM AppScan Solution7 Vietsoftware International Inc.
2013 Web Application Vulnerabilities Found Trend
IBM AppScan Solution8 Vietsoftware International Inc.
Agenda
Introduction to security
Best Practices for Application Security
IBM AppScan security solution
DEMO
IBM AppScan Solution9 Vietsoftware International Inc.
Building Security Into the Development Process
*Graphics from OWASP.com
• Test existing deployed apps• Eliminate security exposure in
live applications
Production
• Test apps before going to production• Deploy secure web applications
Deploy
• Test apps for security issues in QA organization along with performance and functional testing
• Reduce costs of security testing
Test
• Test apps for security issues in Development identifying issues at their earliest point
• Realize optimum security testing efficiencies (cost reduction)
Development• Security requirements, architecture, threat modeling, etc
Define/Design
IBM AppScan Solution10 Vietsoftware International Inc.
Security Testing Within the Software Lifecycle
Build
Developers
SDLCSDLC
Developers
Developers
Coding QA Security Production
Application Security Testing Maturity
IBM AppScan Solution11 Vietsoftware International Inc.
Agenda
Introduction to security
Best Practices for Application Security
IBM AppScan security solution
DEMO
IBM AppScan Solution12 Vietsoftware International Inc.
Types of analysis method
• Static analysis: Approach for verifying software (including finding defects) without executing software– Source code vulnerability scanning tools, code inspections,
etc.
• Dynamic analysis: Approach for verifying software (including finding defects) by executing software on specific inputs & checking results (“oracle”)– Functional testing, web application scanners, fuzz testing,
etc.
• Hybrid analysis: Combine above approaches
IBM AppScan Solution14 Vietsoftware International Inc.
Application Security Testing
• Training – Applications Security & Product ( Instructor led , self paced – classroom & web based)• Test policies, test templates and access control• Dashboards, detailed reports & trending• Manage regulatory requirements such as DIACAP, PCI, GLBA and HIPAA (40+ out-of-the-box compliance reports)
Scanning Techniques
Applications
Governance & Collaboration
Web Applications Web Services
• Web 2.0\HTML5• AJAX• Java Script• Adobe Flash & Flex
Mobile Application
s• iPhone ObjectiveC• Android Java
Programming Languages• C#• ASP.NET• VB.NET• Classic ASP• ColdFusion• VB6, VBScript
• HTML• PHP• Perl• PL/SQL, T-SQL• Client-side JavaScript• Server-side JavaScript
Build Systems improve scan efficiencies
Integrated
Audience Development teams Security teams Penetration Testers
CODING BUILD QA SECURITY PRODUCTION
Static analysis)white box(
SDLC
• Java/Android • JSP• C, C++• COBOL• SAP ABAP
(Rational Build Forge, Rational Team Concert, Hudson, Maven)
Defect Tracking Systems
track remediation
(Rational Team Concert, Rational ClearQuest,
HP QC, MS Team Foundation Server)
IDEs remediation assistance
(RAD, Rational Team Concert,
Eclipse, Visual Studio
Security Intelligence raise threat level
(SiteProtector, QRadar, Guardium)
Source code vulnerabilities & code quality risksData & Call Flow analysis tracks tainted data
Dynamic analysis)black box(
Live Web ApplicationWeb crawling & Manual testing
Hybrid Glass Box analysis
PurchasedApplications
IBM AppScan Solution15 Vietsoftware International Inc.
IBM AppScan security solution
1. IBM AppScan Source2. IBM AppScan Standard3. IBM AppScan Enterprise
All work within the Software Lifecycle
IBM AppScan Solution16 Vietsoftware International Inc.
AppScan Source for SAST
AppScan Source is a static application security testing (SAST) solution.- Scans application source code for security vulnerabilities
• SQL injection, command injection, cross-site scripting, buffer overflow- These vulnerabilities are exploitable weaknesses in code that lead to:
• Loss of reputation• Loss of money• A breach or an exposure of sensitive information• Business noncompliance
AppScan Source enables organizations to proactively identify and mitigate security risk.
There are four distinct AppScan Source components:- AppScan Source for Remediation- AppScan Source for Development- AppScan Source for Automation- AppScan Source for Analysis
IBM AppScan Solution17 Vietsoftware International Inc.
AppScan Source SAST LifecycleCONFIGURE
AppScan Source•For Remediation•For Development
AppScan Source•For Analysis
•For Development•For Automation
SCAN
REMEDIATE
AppScan Source•For Analysis
TRIAGE
High-confidence findings
ASSIGN
AppScan Enterprise
REPORT
>>>>>
AppScan Source•For Analysis
IBM AppScan Solution18 Vietsoftware International Inc.
Is a security vulnerability testing tool for web applications and web services Features the most advanced testing methods
What is AppScan Standard?
IBM AppScan Solution19 Vietsoftware International Inc.
Scan Technologies for AppScan standardEmploys three distinct testing techniques:
Dynamic Analysis (“black-box scanning”)testing and evaluating application responses during run-time
Static Analysis (“white-box scanning”)analyzes JavaScript code in the context of the full web page
Interactive Analysis (“glass box scanning”)interact with a dedicated glass-box agent which resides on the web-server itself
IBM AppScan Solution20 Vietsoftware International Inc.
Workflow for AppScan Standard
IBM AppScan Solution21 Vietsoftware International Inc.
AppScan Enterprise
Security Team
Integrate Web Application Security in the SDLC
AppScan Enterprise
Manage Problem Resolution Through
T re n d i n g Re po r t s
Reuse and Run Mult iple Scans
Across Applications
MONITORSCALEPush Reports to Developers, QA,
andN on - S ec u r i t y S t a f f
INFORM
What is AppScan Enterprise?
IBM AppScan Solution23 Vietsoftware International Inc.
DEMO – Test Site And Project (Altoro Mutual)
URL: http://demo.testfire.net Account: jsmith / demo1234
IBM AppScan Solution24 Vietsoftware International Inc.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the
opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness
for a particular purpose
Magic Quadrant for Application Security TestingNeil MacDonald, Joseph Feiman July 2, 2013
This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the
context of the entire report. The link to the Gartner report is available upon request from IBM.
“The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.”
Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST)
IBM AppScan Solution25 Vietsoftware International Inc.
Additional Information Documents
EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Appshttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-
WW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W
AppScan Source Data Sheethttp://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF
AppScan Standard Data Sheet: http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF
AppScan Enterprise Data Sheetftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF
Posts
2013 Gartner Application Security Testing MQ and the Evolution of Software Securityhttp://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/
Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST)http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/
Podcasts
2013 Gartner Magic Quadrant for Application Security Testing http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing
Application + Threat + Security intelligence = Priceless http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless
Taking Application Security from the Whiteboard to Reality http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality
IBM AppScan Solution26 Vietsoftware International Inc.
VideosOverview of IBM Security AppScanhttp://www.youtube.com/watch?v=9R4IjZpKt8I
How College Board is Building Security into Application Developmenthttp://www.youtube.com/watch?v=TtqhlcTnbg8
Building Better, More Secure Applicationshttp://www.youtube.com/watch?v=UcN2uUolgKk
Using Application Security Testing to Increase Deployment Speedhttp://www.youtube.com/watch?v=VImy3ilYUSk
IBM Security AppScan 8.7 for iOS mobile application supporthttp://www.youtube.com/watch?v=I73tbAmJIGw
IBM Security AppScan 8.7 for iOS Applicationshttp://www.youtube.com/watch?v=egnEH-GGQEI
IBM Security AppScan: Analysis Perspectivehttp://www.youtube.com/watch?v=UZD53ZgV848
IBM AppScan Solution27 Vietsoftware International Inc.
Credits
Implemented IBM Appscan for customers in Vietnam:
Vietcombank; VietinBank; Vietnam Customs
Some presentations on Enterprise Mobile Solution,
Security, ECommerce at
http://www.slideshare.net/papaiking/
IBM AppScan Solution28 Vietsoftware International Inc.
Smarter security for a smarter planet