ibm appscan enterprise - the total software security solution

IBM AppScan EnterpriseThe total security solution

Thuc X.Vu <[email protected]>

Reseacher, founder of IoT and Data processing LabsVietsoftware International Inc.Website: http://labsofthings.com/

mailto:[email protected]

http://labsofthings.com/




IBM AppScan Solution2 Vietsoftware International Inc.

Agenda

Introduction to security

What is IBM AppScan Enterprise?

Key features

Workflow

DEMO



Desktop Transport Network Web Applications

AntivirusProtection

Encryption(SSL)

Firewalls /IDS / IPS

Firewall

Web ServersDatabases

BackendServer

ApplicationServers

Info Security LandscapeInfo Security Landscape


Hackers Exploit Unintended Functionality to Attack Apps

Intended Functionality

Unintended Functionality

Actual Functionality


01/01/2006 union select userid,null,username+','+password,null from users--

Application responds with user names and passwords of other account holders!


Application Threat Negative Impact Example Impact

Cross Site scripting Identity Theft, Sensitive Information Leakage, …

Hackers can impersonate legitimate users, and control their accounts.

Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system

Hackers can access backend database information, alter it or steal it.

Malicious File Execution Execute shell commands on server, up to full control

Site modified to transfer all interactions to the hacker.

Insecure Direct Object Reference Attacker can access sensitive files and resources

Web application returns contents of sensitive file (instead of harmless one)

Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user

Blind requests to bank account transfer money to hacker

Information Leakage and Improper Error Handling

Attackers can gain detailed system information

Malicious system reconnaissance may assist in developing further attacks

Broken Authentication & Session Management

Session tokens not guarded or invalidated properly

Hacker can “force” session token on victim; session tokens can be stolen after logout

Insecure Cryptographic Storage Weak encryption techniques may lead to broken encryption

Confidential information (SSN, Credit Cards) can be decrypted by malicious users

Insecure Communications Sensitive info sent unencrypted over insecure channel

Unencrypted credentials “sniffed” and used by hacker to impersonate user

Failure to Restrict URL Access Hacker can access unauthorized resources Hacker can forcefully browse and access a page past the login page

The OWASP Top 10


2013 Web Application Vulnerabilities Found Trend


Agenda



Key features

Workflow

DEMO


Centralized Control

Scalablility

Enterprise-wide Visibility

Unique Remediation Workflow

Full SDLC Support

AppScan Enterprise Benefits


Agenda



Key features

Workflow

DEMO


Controlled, Web-based Report Distr ibution

3

Controlled, Web-based Application Testing

2

1

Enterprise Metrics and Visibi l i ty

4 Issue Management

AppScan Enterprise – Key Features & Benefits

Enable Development and QA to perform testing during SDLC Control what applications each user can test

Easily distribute reports Control the access to information

Increase visibility and better understand enterprise risks

Focus on fixing issues, not just finding issues

Issue Management4

Enterprise Metrics and Visibil i ty3

Controlled, Web-based Report Distr ibution2

1 Controlled, Web-based Application Testing


Multiple Report Levels

ƒƒƒƒ

DashboardsReport Pack SummariesDetailed ReportsAbout this… Report


Report Categoriesƒ Inventory Reports

Broken Links Hosts Pages etc.

Security Reports Application Security Issues Infrastructure Security Issues Remediation Tasks Security Risk Assessment

Compliance Reports Safe Harbour Sarbanes-Oxley Act (SOX) Visa CISP etc.

ƒ

ƒ


User Roles and Access Permissions

ƒ Control access to

informationSecurity Manager

Specify what AppScanEnterprise

ComplianceOfficer

Pen Tester

ƒ Specify what types of

Developer

10

ƒ Assign user roles

applications a user scan

tests a user can perform


Agenda



Key features

Workflow

DEMO


AppScan Enterprise: Workflow


AppScan Enterprise: Build Application


Build Application: Edit application Profile Template


Build Application: import applications


AppScan Enterprise: Create Application

Define: Application attributes, scans, users


AppScan Enterprise: Risk Rating Formula


AppScan Enterprise: Test Applications


AppScan Enterprise: Define issue profile


AppScan Enterprise: Define scanner profile


AppScan Enterprise: Import issues


AppScan Enterprise: Scan management


Mark application “Testing Status” as completed


AppScan Enterprise: Fix issues


AppScan Enterprise: Filter and send issues by URL


AppScan Enterprise: Monitor issues


AppScan Enterprise: Monitor all apps


AppScan Enterprise: Monitor each apps


AppScan Enterprise: Training


Agenda



Key features

Workflow

DEMO


DEMO – Test Site And Project (Altoro Mutual)

URL: http://demo.testfire.net Account: jsmith / demo1234


Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the

opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness

for a particular purpose

Magic Quadrant for Application Security TestingNeil MacDonald, Joseph Feiman July 2, 2013

This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the

context of the entire report. The link to the Gartner report is available upon request from IBM.

“The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.”

Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST)


Additional Information Documents

EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Appshttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-

WW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W

AppScan Source Data Sheethttp://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF

AppScan Standard Data Sheet: http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF

AppScan Enterprise Data Sheetftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF

Posts

2013 Gartner Application Security Testing MQ and the Evolution of Software Securityhttp://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/

Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST)http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/

Podcasts

2013 Gartner Magic Quadrant for Application Security Testing http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing

Application + Threat + Security intelligence = Priceless http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless

Taking Application Security from the Whiteboard to Reality http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality


VideosOverview of IBM Security AppScanhttp://www.youtube.com/watch?v=9R4IjZpKt8I

How College Board is Building Security into Application Developmenthttp://www.youtube.com/watch?v=TtqhlcTnbg8

Building Better, More Secure Applicationshttp://www.youtube.com/watch?v=UcN2uUolgKk

Using Application Security Testing to Increase Deployment Speedhttp://www.youtube.com/watch?v=VImy3ilYUSk

IBM Security AppScan 8.7 for iOS mobile application supporthttp://www.youtube.com/watch?v=I73tbAmJIGw

IBM Security AppScan 8.7 for iOS Applicationshttp://www.youtube.com/watch?v=egnEH-GGQEI

IBM Security AppScan: Analysis Perspectivehttp://www.youtube.com/watch?v=UZD53ZgV848

http://www.youtube.com/watch?v=UZD53ZgV848


Credits

Implemented IBM Appscan for customers in Vietnam:

Vietcombank; VietinBank; Vietnam Customs

Some presentations on Enterprise Mobile Solution, IoT,

Security, payment at

http://www.slideshare.net/papaiking/

http://www.slideshare.net/papaiking/


Smarter security for a smarter planet