discovering the value of verifying web application security using ibm rational appscan aka hacking...
DESCRIPTION
Presented in March 2008 in Wellington, New Zealand.TRANSCRIPT
© 2007 IBM Corporation
IBM Software Group
An IBM Proof of Technology
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan
Lee Kinsman – Software Architect
Alan Kan – Technical Specialist
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 2
TechWorks
Agenda
● Introductions & facilities
● The importance of web application security
● Vulnerability Analysis Top Attacks Overview
Hands on Labs 1-2
● Vulnerability Analysis (continued) Hands on Labs 3-5
● Automated Vulnerability Analysis AppScan Overview
Hands on Lab 6
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 4
TechWorks
POT Objectives
By the end of this session you will:
Understand the web application environment
Understand and differentiate between network and application level vulnerabilities
Understand where the vulnerabilities exist
Understand how to leverage AppScan to perform an automated scan for vulnerabilities
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 5
TechWorks
Agenda
● Introductions & facilities
● The importance of web application security
● Vulnerability Analysis Top Attacks Overview
Hands on Labs 1-2
● Vulnerability Analysis (continued) Hands on Labs 3-5
● Automated Vulnerability Analysis AppScan Overview
Hands on Lab 6
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 6
TechWorks
LexisNexis
Data Breach
-Washington Post
Feb 17, 2008
IndiaTimes.com Malware
—InformationWeek
Feb 17,2008
Hacker breaks into
Ecuador’s
presidential website
— Thaindian, Feb 11, 2008
Hacking Stage 6 — Wikipedia, Feb 9 2007
Hacker steals Davidson
Cos client data
- Falls Tribune, Feb 4 2008
RIAA wiped off the Net— TheRegister, Jan 20 2008
Chinese hacker
steals 18M identities
- HackBase.com, Feb 10,2008
Mac blogs defaced by
XSS
• The Register, Feb 17, 2008
Your Free MacWorld Expo Platinum Pass— CNet, Jan 14, 2008
Hacker takes down Pennsylvania gvmt — AP, Jan 6, 2008
Drive-by Pharming
in the Wild
— Symantec, Jan 21 2008Italian Bank hit by XSS fraudsters
— Netcraft, Jan 8 2008
The Alarming Truth
Greek Ministry
websites hit by
hacker intru
sion
— eKathimerini, Jan 31,2008
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 7
TechWorks
“Security Intelligence Service director Warren Tucker revealed government department websites had been attacked and information stolen”nzherald.co.nz Sep 12, 2007
“A florist which does all of its business online has had its website targeted by hackers and customers' credit card details have been stolen. “abc.net.au Sep 17, 2007
“Turkish hackers bring down insurer's site…The site was shut down as a precaution and was unavailable for most of today”SMH.com.au July 20, 2007
“Computer hackers have cracked the defences of dozens of top government and business sector internet sites this year, raising concerns about the safety of consumers' financial and personal information.” SMH.com.au October 14 2007
“Approximately 100 million Americans have been informed that they have suffered a security breach so this problem has reached epidemic proportions.”Jon Oltsik – Enterprise Strategy Group
The Alarming Truth
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 8
TechWorks
Security and compliance risks
Security and compliance integrity risks have serious adverse impacts on a company’s identity, customer relations and business results.
● 90% of sites are vulnerable to application attacks
● 80% of organizations will experience an application security incident by 2010
● 64% of CIOs feel that the most significant challenge facing IT organizations is Security, Compliance and Data Protection.
(Disability Discrimination Act (DDA), Payment Card Industry (PCI) Standards, SOX
● 75% of the cyber attacks today are at the application level
● Compliance requirements: Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 9
TechWorks
Sources: Gartner, Watchfire
Reality: Security and Spending Are Unbalanced
Network Server
WebApplication
s
% of Attacks % of Dollars
75%
10%
25%
90%
Sources: Gartner, Watchfire
Security Spending
of All Attacks on Information SecurityAre Directed to the Web Application Layer
75%75%
of All Web Applications Are Vulnerable2/32/3
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 10
TechWorks
2006 Vulnerability Statistics (31,373 sites)
** http://www.webappsec.org/projects/statistics/
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 11
TechWorks
We Use Network Vulnerability
Scanners
We Use Network Vulnerability
Scanners
We Have Firewalls in
Place
We Have Firewalls in
PlaceWe Audit It Once a Quarter with Pen
Testers
We Audit It Once a Quarter with Pen
Testers
The Myth: Our Site Is Safe
We Use SSLEncryption
We Use SSLEncryption
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 12
TechWorks
Confusing Network Security Discipline with Application Security
“Application developers and their superiors in IT departments too often mistakenly believe that firewalls, IDS / IPS, and network traffic encryption
are sufficient measures for application security. By doing so they are confusing application security with network security”
“None of those technologies hardens application code. All those technologies deal with traffic to applications, not with the applications themselves…. Applications need protection through separate, specific
security discipline – application security”
Application Security Testing, Gartner, March 2, 2007
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 13
TechWorks
High Level Web Application Architecture Review
(Presentation)App Server(Business
Logic)
DatabaseClient Tier(Browser)
Middle TierData Tier
Firewall
Sensitive data is
stored here
SSL
Protects Transport Protects
Network
CustomerApp is deployedhere
InternetInternet
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 14
TechWorks
Perimeter IDS IPS
IntrusionDetectionSystem
IntrusionPrevention
System
Network Defenses for Web Applications
App Firewall
ApplicationFirewall
Firewall
System Incident Event Management (SIEM)
SecuritySecurity
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 15
TechWorks
Port 80 and Port 443 are open for business….
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 16
TechWorks
Building Security & Compliance into the SDLC
Build
Developers
SDLC
Developers
Developers
Coding QA Security Production
Enable Security to effectively drive remediation into development
Provides Developers and Testers with expertise on detection and
remediation ability
Ensure vulnerabilities are addressed before applications are put into production
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 17
TechWorks
Agenda
● Introductions & facilities
● The importance of web application security
● Vulnerability Analysis Top Attacks Overview
Hands on Labs 1-2
● Vulnerability Analysis (continued) Hands on Labs 3-5
● Automated Vulnerability Analysis AppScan Overview
Hands on Lab 6
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 18
TechWorks
NetworkNetwork
Operating SystemOperating System
ApplicationsApplications
DatabaseDatabase
Web Server
Web Server Configuration
Web Server
Web Server Configuration
Third-party ComponentsThird-party Components
Web Applications
Client-Side Custom Web Services
Web Applications
Client-Side Custom Web Services
Where are the Vulnerabilities?
Network
NessusISSQualysGuardeEye RetinaFoundstone
Host
SymantecNetIQISSCA Harris STAT
Database
AppSec IncNGS Software
App Scanners
WatchfireSPI DynamicsCenzicNT ObjectivesAcunetix WVS
Code ScanningEmerging
TechFortifyOunce LabsSecure SoftwareKlockworkParasoft
Network
Operating System
Applications
Database
Web Server
Web Server Configuration
Third-party Components
Web Applications
Client-Side Custom Web Services
SecuritySecurity
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 19
TechWorks
Security Defects: Those I manage vs. Those I ownInfrastructure Vulnerabilities or Common Web Vulnerabilities (CWVs)
Application Specific Vulnerabilities (ASVs)
Cause of DefectInsecure application development by 3rd party SW
Insecure application development In-house
Location within Application
3rd party technical building blocks or infrastructure (web servers,)
Business logic - dynamic data consumed by an application
Type(s) of ExploitsKnown vulnerabilities (patches issued), misconfiguration
SQL injection, path tampering, Cross site scripting, Suspect content & cookie poisoning
DetectionMatch signatures & check for known misconfigurations.
Requires application specific knowledge
Business Risk Patch latency primary issueRequires automatic application lifecycle security
Cost Control As secure as 3rd party software Early detection saves $$$
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 20
TechWorks
OWASP and the OWASP Top 10 list
● Open Web Application Security Project – an open organization dedicated to fight insecure software
● “The OWASP Top Ten document represents a broad consensus about what the most critical web application security flaws are”
● We will use the Top 10 list to cover some of the most common security issues in web applications
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 21
TechWorks
Application Threat Negative Impact Example Impact
Cross Site scripting Identity Theft, Sensitive Information Leakage, …
Hackers can impersonate legitimate users, and control their accounts.
Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system
Hackers can access backend database information, alter it or steal it.
Malicious File Execution Execute shell commands on server, up to full control
Site modified to transfer all interactions to the hacker.
Insecure Direct Object Reference
Attacker can access sensitive files and resources
Web application returns contents of sensitive file (instead of harmless one)
Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user
Blind requests to bank account transfer money to hacker
Information Leakage and Improper Error Handling
Attackers can gain detailed system information
Malicious system reconnaissance may assist in developing further attacks
Broken Authentication & Session Management
Session tokens not guarded or invalidated properly
Hacker can “force” session token on victim; session tokens can be stolen after logout
Insecure Cryptographic Storage
Weak encryption techniques may lead to broken encryption
Confidential information (SSN, Credit Cards) can be decrypted by malicious users
Insecure Communications Sensitive info sent unencrypted over insecure channel
Unencrypted credentials “sniffed” and used by hacker to impersonate user
Failure to Restrict URL Access Hacker can access unauthorized resources
Hacker can forcefully browse and access a page past the login page
The OWASP Top 10 list
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 22
TechWorks
1. Cross-Site Scripting (XSS)
● What is it? Malicious script echoed back into HTML returned from a trusted site, and runs under trusted
context
● What are the implications? Session Tokens stolen (browser security circumvented)
Complete page content compromised
Future pages in browser compromised
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 23
TechWorks
Cross Site Scripting – The Exploit Process
Evil.org
User bank.com
1) Link to bank.comsent to user viaE-mail or HTTP
2) User sends script embedded as data
3) Script/data returned, executed by browser
4) Script sends user’s cookie and session information without the user’s consent or knowledge
5) Evil.org uses stolen session information to impersonate user
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 24
TechWorks
XSS Example I
HTML code:
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 25
TechWorks
XSS Example II
HTML code:
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 26
TechWorks
XSS – Details
● Common in Search, Error Pages and returned forms. But can be found on any type of page
● Any input may be echoed back Path, Query, Post-data, Cookie, Header, etc.
● Browser technology used to aid attack XMLHttpRequest (AJAX), Flash, IFrame…
● Has many variations XSS in attribute, DOM Based XSS, etc.
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 27
TechWorks
Exploiting XSS
● If I can get you to run my JavaScript, I can… Steal your cookies for the domain you’re browsing
Track every action you do in that browser from now on
Redirect you to a Phishing site
Completely modify the content of any page you see on this domain
Exploit browser vulnerabilities to take over machine
…
● XSS is the Top Security Risk today (most exploited)
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 28
TechWorks
Agenda
● Introductions & facilities
● The importance of web application security
● Vulnerability Analysis Top Attacks Overview
Hands on Labs 1-2
● Vulnerability Analysis (continued) Hands on Labs 3-5
● Automated Vulnerability Analysis AppScan Overview
Hands on Lab 6
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 29
TechWorks
Hands-on Labs
Lab 1 – Profile Web Application
Lab 2 – Steal Cookies
Lab 3 – Login without Credentials
Lab 4 – Steal Usernames and Passwords
Lab 5 – Logging into the Administrative Portal
Lab 6 – Automated Scan of Website
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 30
TechWorks
Lab 1 Profile Web Application
● The Goal of this lab is to profile the demo.testfire.net application
● Identify the Lab Workbook and where to start (page 5), where to stop (page 11)
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 31
TechWorks
Lab 2 Steal Cookies
● The goals of the lab is to utilize a Cross Site Scripting vulnerability on the demo.testfire.net application in order to access cookies on a target user’s browser
● Identify the Lab Workbook and where to start (page 12), where to stop (page 18)
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 32
TechWorks
Agenda
● Introductions & facilities
● Security Landscape
● Vulnerability Analysis Top Attacks Overview
Hands on Labs 1-2
● Vulnerability Analysis (continued) Hands on Labs 3-5
● Automated Vulnerability Analysis AppScan Overview
Hands on Lab 6
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 33
TechWorks
2 - Injection Flaws
● What is it? User-supplied data is sent to an interpreter as part of a command, query or data.
● What are the implications? SQL Injection – Access/modify data in DB
SSI Injection – Execute commands on server and access sensitive data
LDAP Injection – Bypass authentication
…
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 34
TechWorks
SQL Injection
● User input inserted into SQL Command: Get product details by id:
Select * from products where id=‘$REQUEST[“id”]’;
Hack: send param id with value ‘ or ‘1’=‘1
Resulting executed SQL:Select * from products where id=‘’ or ‘1’=‘1’
All products returned
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 35
TechWorks
SQL Injection Example I
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 36
TechWorks
SQL Injection Example II
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 37
TechWorks
SQL Injection Example - Exploit
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 38
TechWorks
SQL Injection Example - Outcome
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 39
TechWorks
Injection Flaws (SSI Injection Example) Creating commands from input
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 40
TechWorks
The return is the private SSL key of the server
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 41
TechWorks
3 - Malicious File Execution
● What is it? Application tricked into executing commands or creating files on server
● What are the implications? Command execution on server – complete takeover
Site Defacement, including XSS option
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 42
TechWorks
Malicious File Execution – Example I
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 43
TechWorks
Malicious File Execution – Example cont.
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 44
TechWorks
Malicious File Execution – Example cont.
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 45
TechWorks
4 - Insecure Direct Object Reference
● What is it? Part or all of a resource (file, table, etc.) name controlled by user input.
● What are the implications? Access to sensitive resources
Information Leakage, aids future hacks
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 46
TechWorks
Insecure Direct Object Reference - Example
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 47
TechWorks
Insecure Direct Object Reference – Example Cont.
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 48
TechWorks
Insecure Direct Object Reference – Example Cont.
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 49
TechWorks
5 - Information Leakage and Improper Error Handling
● What is it? Unneeded information made available via errors or other means.
● What are the implications? Sensitive data exposed
Web App internals and logic exposed (source code, SQL syntax, exception call stacks, etc.)
Information aids in further hacks
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 50
TechWorks
Information Leakage - Example
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 51
TechWorks
Improper Error Handling - Example
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 52
TechWorks
Information Leakage – Different User/Pass Error
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 53
TechWorks
6 - Failure to Restrict URL Access
● What is it? Resources that should only be available to authorized users can be accessed by forcefully
browsing them
● What are the implications? Sensitive information leaked/modified
Admin privileges made available to hacker
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 54
TechWorks
Failure to Restrict URL Access - Admin User login
/admin/admin.aspx
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 55
TechWorks
Simple user logs in, forcefully browses to admin page
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 56
TechWorks
Failure to Restrict URL Access: Privilege Escalation Types
● Access given to completely restricted resources Accessing files that shouldn’t be served (*.bak, “Copy Of”, *.inc, *.cs, ws_ftp.log, etc.)
● Vertical Privilege Escalation Unknown user accessing pages past login page
Simple user accessing admin pages
● Horizontal Privilege Escalation User accessing other user’s pages
Example: Bank account user accessing another’s
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 57
TechWorks
Agenda
● Introductions & facilities
● Security Landscape
● Vulnerability Analysis Top Attacks Overview
Hands on Labs 1-2
● Vulnerability Analysis (continued) Hands on Labs 3-5
● Automated Vulnerability Analysis AppScan Overview
Hands on Lab 6
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 58
TechWorks
Hands-on Labs 3-5
Lab 1 – Profile Web Application
Lab 2 – Steal Cookies
Lab 3 – Login without Credentials
Lab 4 – Steal Usernames and Passwords
Lab 5 – Logging into the Administrative Portal
Lab 6 – Automated Scan of Website
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 59
TechWorks
Lab 3 overview Login without Credentials
● The goal of the lab is to use locate a SQL injection vulnerability and exploit it to log into the demo.testfire.net application without a password
● Identify the Lab Workbook and where to start (page 19), where to stop (page 24)
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 60
TechWorks
Lab 4 overview – Steal Username and Password
● The Goal of this Lab is to exploit the SQL Injection vulnerability further in order to extract all the usernames and passwords from the demo.testfire.net application
● Identify the Lab Workbook and where to start (page 25), where to stop (page 31)
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 61
TechWorks
Lab 5 overview – Logging in to Admin Portal
● The Goal of this lab is to use Information Leakage and Direct Access to URLs to find and log into the administrative portal
● Identify the Lab Workbook and where to start (page 32), where to stop (page 36)
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 62
TechWorks
Agenda
● Introductions & facilities
● Security Landscape
● Vulnerability Analysis Top Attacks Overview
Hands on Labs 1-2
● Vulnerability Analysis (continued) Hands on Labs 3-5
● Automated Vulnerability Analysis AppScan Overview
Hands on Lab 6
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 63
TechWorks
Watchfire in the Rational Portfolio
Developer Test Functional Test
Automated Manual
Rational RequisitePro Rational ClearQuest Rational ClearQuest
Defects
Project Dashboards
Detailed Test Results
Quality Reports
Performance Test
SOFTWARE QUALITY SOLUTIONS
Test and Change Management
Test Automation
Quality Metrics
DE
VE
LO
PM
EN
T
OP
ER
AT
OIN
S
BUSINESS
Rational ClearQuest
Requirements Test Change
Rational PurifyPlus
Rational Test RealTime
Rational Functional Tester Plus
Rational Functional Tester
Rational Robot
Rational Manual Tester
Rational Performance Tester
Security and Compliance Test
AppScan
Policy Tester
Interface Compliance
Policy Tester
Test Automation
Content Compliance
ADA 508, GLBA, Safe Harbor
Quality, Brand, Search, Inventory
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 64
TechWorks
AppScan
● What is it?
AppScan is an automated tool used to perform vulnerability assessments on Web Applications
● Why do I need it?
To simplify finding and fixing web application security problems
● What does it do?
Scans web applications, finds security issues and reports on them in an actionable fashion
● Who uses it?
Security Auditors – main users today
QA engineers – when the auditors become the bottle neck
Developers – to find issues as early as possible (most efficient)
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 65
TechWorks
What does AppScan test for?
Network
Operating System
Applications
Database
Web Server
Web Server Configuration
Third-party Components
Web Applications
AppScan
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 66
TechWorks
How does AppScan work?
● Approaches an application as a black-box
● Traverses a web application and builds the site model
● Determines the attack vectors based on the selected Test policy
● Tests by sending modified HTTP requests to the application and examining the HTTP response according to validate rules
HTTP Request
Web Application
HTTP Response
WebServers
Application
Databases
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 67
TechWorks
AppScan Goes Beyond Pointing out Problems
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 68
TechWorks
Actionable Fix Recommendations
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 69
TechWorks
AppScan with QA Defect Logger for ClearQuest
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 70
TechWorks
IBM Watchfire on the Net
● Watchfire.com - http://www.watchfire.com Product evaluation download
● AppScan Extensions Framework – http://axf.watchfire.com Power Point Reporter, Pyscan, Defect Logger CQ
● Watchfire Blog – http://blog.watchfire.com/wfblog Expert opinion and watchfire news
● AppScan Knowledge On Demand (computer based training) App Security 101, OWASP Top 10, WASC Threat Classifications, Common Attacks
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 71
TechWorks
Lab 6 overview
● The goal of this lab is to use AppScan in order to automate the detection of vulnerabilities within a web application
● Identify the Lab Workbook and where to start (page 37), where to stop (page 59)
© 2007 IBM Corporation
IBM Software Group
An IBM Proof of Technology
Session summary
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 73
TechWorks
Session summary
Understand the web application environment
Understand and differentiate between network and application level vulnerabilities
Understand where the vulnerabilities exist
Hands on exercises to understand types of vulnerabilities
Hands on exercise to leverage automated scan for vulnerabilities
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 74
TechWorks
Next steps● Further discussions with IBM Rational Account Representative and/or AppScan
product expert. Jono Massy-Greene
Alan [email protected]
● Schedule a Security Business Value Assessment
● Schedule a Vulnerability Assessment of one our your Applications
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 75
TechWorks
Register today with discount code “HDDE”and receive $100 off your registration fee!
Visitwww.ibm.com/rational/rsdc
for more information
IBM Rational Software Development Conference 2008June 1 – 5, 2008; Orlando, Florida
CONFERENCE HIGHLIGHTS:
Over 3,000 customers and partners
Over 300 sessions – 14 tracks
Executive Summit 2008
3- and 5-hour Technical Workshops
Access to IBM Engineers and IBM Research
Keynotes with industry-leading experts
Exhibit hall showcasing complimentary product and services
Unlimited networking opportunities
IBM Solution Center
Interactive Birds-of-a-Feather Sessions
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 76
TechWorks
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 77
TechWorks
We appreciate your feedback. Please fill out the survey form in order
to improve this educational event.