appscan introduction

8/11/2019 Appscan Introduction

1/17

IBM Software Group

2007 IBM Corporation

Introduction to AppScan Enterprise


2/17

2

Contents

The Application Security ProblemWhat is AppScan Enterprise?

Main Features

How does AppScan Enterprise work?

Key Concepts and Terminology

User Interface Tour


3/17

3

NetworkServer

WebApplications

The Web Application Security Reality

% of Attacks % of Dollars

75%

10%

25%

90%

Sources: Gartner, Watchfire

Security Spending

of All Attacks on Information Security

Are Directed to the Web Application Layer75%75%

of All Web Applications Are Vulnerable2/32/3


4/174

Web Application Security Challenges

Difficulty Managing 3rd Party VendorsDifficulty Managing 3rd Party Vendors555

Not Monitoring Deployed ApplicationsNot Monitoring Deployed Applications444

Catching Problems Late in the CycleCatching Problems Late in the Cycle333

Lack of Control and VisibilityLack of Control and Visibility222

Security Team Has Become a BottleneckSecurity Team Has Become a Bottleneck111


5/175

Web Application Security EvolutionWeb Application Security Evolution

StrategicStrategicStrategicStrategicStrategic Enterprise-Wide Scalable Solution

Solving The Problem Requires a Strategic Approach

TacticalTactical Manual Efforts, Desktop Audit Tools

2-3 Internal Security Experts

OutsourcedOutsourced Consultants

Pen Testing

UnawareUnaware


6/17

6

SCALESCALE

Reuse and RunMultiple Scans

Across

Applications

INFORMINFORM

Push Reports

to Developers,QA, andNon-Security Staff

MONITORMONITOR

Manage ProblemResolutionThrough

Trending ReportsAppScan EnterpriseAppScan EnterpriseAppScan Enterprise

What is AppScan Enterprise?

Security Team

Integrate Web Application Security in the SDLC


7/17

7

AppScan Enterprise Key Features & Benefits

Increase visibility and better understand enterprise risks

Controlled, Web-based Report DistributionControlled, Web-based Report Distribution

333

Controlled, Web-based Application TestingControlled, Web-based Application Testing

222

111

Enterprise Metrics and VisibilityEnterprise Metrics and Visibility

Easily distribute reports

Control the access to information

Enable Development and QA to perform testing during SDLC

Control what applications each user can test

444 Issue ManagementIssue Management

Focus on fixing issues, not just finding issues


8/17

8

Multiple Report Levels

Dashboards

Report Pack Summaries

Detailed ReportsAbout this Reports


9/17

9

Report Categories Inventory Reports

Broken Links

Hosts

Pages

etc. Security Reports

Application Security Issues

Infrastructure Security Issues

Remediation Tasks

Security Risk Assessment

Compliance Reports

Safe Harbour Sarbanes-Oxley Act (SOX)

Visa CISP

etc.


10/17

10

User Roles and Access Permissions

Security Manager

Pen Tester

Developer

Compliance

Officer

AppScan

Enterprise

Control access toinformation

Assign user roles Specify what

applications a user can

scan Specify what types of

tests a user can

perform


11/17

11

What does AppScan Enterprise test for?

Network

Operating System

Applications

Database

Web Server

Web Server Configuration

Third-party Components

Web Applications

AppScanEnterprise

H d A S E i k?


12/17

12

How does AppScan Enterprise work?

Traverses a web applicationApproaches an application as a black-box

Tests by sending modified HTTP requests

Thousands of tests for identifying hundreds of vulnerabilities

HTTP Request

HTTP Response WebServers

Appl ication

Databases

Web Application

A S E t i A hit t


13/17

13

AppScanEnterprise Architecture

Clients AppScan Enterprise Target Sites

T i l


14/17

14

Terminology

Content Scan Job

Infrastructure Scan Job

Import Job

Report Pack

Dashboard

Folder

J b R tP k R t &D hb d


15/17

15

Jobs, Report Packs, Reports & Dashboards

Job4Infrastructure

Scan

Job2Security

Data Import

Job1Security

Scan

Global

Scan DataJob3

SecurityScan

Reports

ReportPack 1

ReportPack 2

ReportPack 3

Dashboard 1

Dashboard 2

W b B d U I t f


16/17

16

Web-Based User Interface

Enter your user name and password

Navigate to AppScan Enterprise,e.g.

http://aseserver/appscan

Q ickScan s Ad anced Vie


17/17

17

Quick Scan vs. Advanced View

The UI mode is set in the users properties

Quick Scan View

Makes it easier to create a scan by abstracting

complexityLeverages scan templates created by the

administrator

Reduces the scan configuration time

Suitable for developers, QA specialists who create

ad-hoc scansAdvanced View

Exposes all scan options

Suitable for administrators and advanced users

appscan introduction

Documents