ibm appscan enterprise - the total software security solution
TRANSCRIPT
IBM AppScan EnterpriseThe total security solution
Thuc X.Vu <[email protected]>
Reseacher, founder of IoT and Data processing LabsVietsoftware International Inc.Website: http://labsofthings.com/
IBM AppScan Solution2 Vietsoftware International Inc.
Agenda
Introduction to security
What is IBM AppScan Enterprise?
Key features
Workflow
DEMO
IBM AppScan Solution3 Vietsoftware International Inc.
Introduction to security
Desktop Transport Network Web Applications
AntivirusProtection
Encryption(SSL)
Firewalls /IDS / IPS
Firewall
Web ServersDatabases
BackendServer
ApplicationServers
Info Security LandscapeInfo Security Landscape
IBM AppScan Solution4 Vietsoftware International Inc.
Hackers Exploit Unintended Functionality to Attack Apps
Intended Functionality
Unintended Functionality
Actual Functionality
IBM AppScan Solution5 Vietsoftware International Inc.
01/01/2006 union select userid,null,username+','+password,null from users--
Application responds with user names and passwords of other account holders!
IBM AppScan Solution6 Vietsoftware International Inc.
Application Threat Negative Impact Example Impact
Cross Site scripting Identity Theft, Sensitive Information Leakage, …
Hackers can impersonate legitimate users, and control their accounts.
Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system
Hackers can access backend database information, alter it or steal it.
Malicious File Execution Execute shell commands on server, up to full control
Site modified to transfer all interactions to the hacker.
Insecure Direct Object Reference Attacker can access sensitive files and resources
Web application returns contents of sensitive file (instead of harmless one)
Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user
Blind requests to bank account transfer money to hacker
Information Leakage and Improper Error Handling
Attackers can gain detailed system information
Malicious system reconnaissance may assist in developing further attacks
Broken Authentication & Session Management
Session tokens not guarded or invalidated properly
Hacker can “force” session token on victim; session tokens can be stolen after logout
Insecure Cryptographic Storage Weak encryption techniques may lead to broken encryption
Confidential information (SSN, Credit Cards) can be decrypted by malicious users
Insecure Communications Sensitive info sent unencrypted over insecure channel
Unencrypted credentials “sniffed” and used by hacker to impersonate user
Failure to Restrict URL Access Hacker can access unauthorized resources Hacker can forcefully browse and access a page past the login page
The OWASP Top 10
IBM AppScan Solution7 Vietsoftware International Inc.
2013 Web Application Vulnerabilities Found Trend
IBM AppScan Solution8 Vietsoftware International Inc.
Agenda
Introduction to security
What is IBM AppScan Enterprise?
Key features
Workflow
DEMO
IBM AppScan Solution12 Vietsoftware International Inc.
Centralized Control
Scalablility
Enterprise-wide Visibility
Unique Remediation Workflow
Full SDLC Support
AppScan Enterprise Benefits
IBM AppScan Solution13 Vietsoftware International Inc.
Agenda
Introduction to security
What is IBM AppScan Enterprise?
Key features
Workflow
DEMO
IBM AppScan Solution14 Vietsoftware International Inc.
Controlled, Web-based Report Distr ibution
3
Controlled, Web-based Application Testing
2
1
Enterprise Metrics and Visibi l i ty
4 Issue Management
AppScan Enterprise – Key Features & Benefits
Enable Development and QA to perform testing during SDLC Control what applications each user can test
Easily distribute reports Control the access to information
Increase visibility and better understand enterprise risks
Focus on fixing issues, not just finding issues
Issue Management4
Enterprise Metrics and Visibil i ty3
Controlled, Web-based Report Distr ibution2
1 Controlled, Web-based Application Testing
IBM AppScan Solution15 Vietsoftware International Inc.
Multiple Report Levels
ƒƒƒƒ
DashboardsReport Pack SummariesDetailed ReportsAbout this… Report
IBM AppScan Solution16 Vietsoftware International Inc.
Report Categoriesƒ Inventory Reports
Broken Links Hosts Pages etc.
Security Reports Application Security Issues Infrastructure Security Issues Remediation Tasks Security Risk Assessment
Compliance Reports Safe Harbour Sarbanes-Oxley Act (SOX) Visa CISP etc.
ƒ
ƒ
IBM AppScan Solution17 Vietsoftware International Inc.
User Roles and Access Permissions
ƒ Control access to
informationSecurity Manager
Specify what AppScanEnterprise
ComplianceOfficer
Pen Tester
ƒ Specify what types of
Developer
10
ƒ Assign user roles
applications a user scan
tests a user can perform
IBM AppScan Solution18 Vietsoftware International Inc.
Agenda
Introduction to security
What is IBM AppScan Enterprise?
Key features
Workflow
DEMO
IBM AppScan Solution22 Vietsoftware International Inc.
Build Application: Edit application Profile Template
IBM AppScan Solution24 Vietsoftware International Inc.
AppScan Enterprise: Create Application
Define: Application attributes, scans, users
IBM AppScan Solution34 Vietsoftware International Inc.
Mark application “Testing Status” as completed
IBM AppScan Solution36 Vietsoftware International Inc.
AppScan Enterprise: Filter and send issues by URL
IBM AppScan Solution42 Vietsoftware International Inc.
Agenda
Introduction to security
What is IBM AppScan Enterprise?
Key features
Workflow
DEMO
IBM AppScan Solution43 Vietsoftware International Inc.
DEMO – Test Site And Project (Altoro Mutual)
URL: http://demo.testfire.net Account: jsmith / demo1234
IBM AppScan Solution44 Vietsoftware International Inc.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the
opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness
for a particular purpose
Magic Quadrant for Application Security TestingNeil MacDonald, Joseph Feiman July 2, 2013
This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the
context of the entire report. The link to the Gartner report is available upon request from IBM.
“The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.”
Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST)
IBM AppScan Solution45 Vietsoftware International Inc.
Additional Information Documents
EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Appshttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-
WW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W
AppScan Source Data Sheethttp://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF
AppScan Standard Data Sheet: http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF
AppScan Enterprise Data Sheetftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF
Posts
2013 Gartner Application Security Testing MQ and the Evolution of Software Securityhttp://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/
Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST)http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/
Podcasts
2013 Gartner Magic Quadrant for Application Security Testing http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing
Application + Threat + Security intelligence = Priceless http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless
Taking Application Security from the Whiteboard to Reality http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality
IBM AppScan Solution46 Vietsoftware International Inc.
VideosOverview of IBM Security AppScanhttp://www.youtube.com/watch?v=9R4IjZpKt8I
How College Board is Building Security into Application Developmenthttp://www.youtube.com/watch?v=TtqhlcTnbg8
Building Better, More Secure Applicationshttp://www.youtube.com/watch?v=UcN2uUolgKk
Using Application Security Testing to Increase Deployment Speedhttp://www.youtube.com/watch?v=VImy3ilYUSk
IBM Security AppScan 8.7 for iOS mobile application supporthttp://www.youtube.com/watch?v=I73tbAmJIGw
IBM Security AppScan 8.7 for iOS Applicationshttp://www.youtube.com/watch?v=egnEH-GGQEI
IBM Security AppScan: Analysis Perspectivehttp://www.youtube.com/watch?v=UZD53ZgV848
IBM AppScan Solution47 Vietsoftware International Inc.
Credits
Implemented IBM Appscan for customers in Vietnam:
Vietcombank; VietinBank; Vietnam Customs
Some presentations on Enterprise Mobile Solution, IoT,
Security, payment at
http://www.slideshare.net/papaiking/