ibm appscan source the sast solution - e-spin group · 2015-08-17 · 2. appscan source for...

25
IBM AppScan Source The SAST solution Business and Solutions Consulting E-SPIN Group of Companies E-SPIN Sdn Bhd E-SPIN International Pte Ltd E-SPIN International Limited

Upload: others

Post on 09-Jul-2020

5 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan SourceThe SAST solution

Business and Solutions ConsultingE-SPIN Group of CompaniesE-SPIN Sdn BhdE-SPIN International Pte LtdE-SPIN International Limited

Page 2: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution2

Agenda

Understanding what AppScan Source is

AppScan Source components

Deployment models

Features and Tooling

Workflow

DEMO

Page 3: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution3

Understanding what AppScan Source is

AppScan Source is a static application security testing

(SAST) solution.

Scans application source code for security vulnerabilities:

SQL injection, command injection, cross-site scripting, buffer

overflow

These vulnerabilities are exploitable weaknesses in code

that lead to:1. Loss of reputation2. Loss of money3. A breach or an exposure of sensitive information4. Business noncompliance

AppScan Source enables organizations to proactively

identify and mitigate security risk.

Page 4: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution5

AppScan Source components

Source for Analysis, Source for Development, Source

for Remediation, Source for Automation

1. AppScan Source for Automation

Allow Build Teams to execute Scans at Build time

Command line tooling and build tools allow for ease of

automation

Assessment Publishing and Reporting directly from

Automation

Page 5: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution6

AppScan Source components (Cont.)

2. AppScan Source for Development

Allow Developers to perform Security Scans

Plugins supplied for IDE

Remediate Vulnerabilities

3. AppScan Source for Analysis

Allow Security Analysts to Configure Applications for

SAST Scanning, Optimize Scan Configuration to Focus on

Vulnerable Source Code

Analyze, isolate, and take action on priority vulnerabilities.

Provides security analysts, QA managers, and

development managers with fast time-to-results.

Page 6: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution7

AppScan Source components (Cont.)

AppScan Source Database An out-of-the-box database that persists the AppScan

Source Security Knowledgebase data, assessment

data, and application/project inventory.

AppScan Source command line interface

(CLI) client Provides command line access to various AppScan

Source functions to enable integration, automation, and

scripting.

Plugins for Make, Ant, and Maven allow the

configuration process to be

automated

Page 7: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution8

AppScan Source Edition Products vs Roles

Page 8: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution9

Agenda

Understanding what AppScan Source is

AppScan Source components

Deployment models

Features and Tooling

Workflow

DEMO

Page 9: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution10

Standard desktop deployment

Page 10: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution11

Standard desktop deployment (Cont.)

Used in small organization, for a security

analyst/auditor who performs security

assessments

No defect tracking system integration or build

integration

Using the AppScan Source administrative

account, and no LDAP Directory Server

integration

Page 11: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution12

Small workgroup deployment

Page 12: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution13

Small workgroup deployment (Cont.)

Used in small to moderate organization

Dedicated to different roles: Administrator,

Manager, Security Analyst, Developer

Build Automation server integration

Page 13: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution14

Enterprise workgroup deployment

Page 14: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution15

Enterprise workgroup deployment (Cont.)

Integrate with Defect tracking system

Authentication with LDAP integration

Page 15: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution16

Agenda

Understanding what AppScan Source is

AppScan Source components

Deployment models

Features and Tooling

Workflow

DEMO

Page 16: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution17

AppScan Source Features and Tooling

Configuration perspective:

- Import existing applications from IDEs

- Configure AppScan Source applications and projects

- Scan code

- Create and manage applications, projects, andattributes

Triage perspective:

- View scan results to prioritize remediation workflow

- Organize findings

- Filter findings

- Promote, demote, and dispatch findings forremediation

Analysis perspective:

- Drill down to individual findings

- Track data flow visually though the source code (trace)

- Access contextual remediation assistance

- Generate Reports

Page 17: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution18

Agenda

Understanding what AppScan Source is

AppScan Source components

Deployment models

Features and Tooling

Workflow

DEMO

Page 18: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution19

Continuous Improvement Environment

CONFIGURE

TRIAGE

ASSIGNREMEDIATE

AppScan Source

•For Analysis

•For Development

•For Automation

AppScan Enterprise

AppScan Source

•For Remediation

•For Development

REPORT

High-confidence findings

>>

> > > > >

AppScan Source

•For Analysis

AppScan Source

•For Analysis

SCAN

Page 19: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution20

Receive a source code archive

Extract code and import into

AppScan Source

Scan, resolve compilation issues

(often many)

Triage scan results

Export or write report

Deliver Report

Begin again with a new application

Security Analyst Workflow

Security Professionals using AppScan Source for Security:

Total time: 2-3 weeks / application

• Applications are scanned once per year or less

• Minimal carry-over for subsequent scans

Page 20: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution21

Click scan

Wait for scan to complete

Triage scan results

Resolve vulnerabilities

Check code into central

repository

Developer Workflow

Any developer using AppScan Source for Development:

Total Time: ½ - 1 day

• Developers cannot develop while scanning (can take hours)

• Developers are not security experts

• Scan workflow interrupts agile workflows

Page 21: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution22

Agenda

Understanding what AppScan Source is

AppScan Source components

Deployment models

Features and Tooling

Workflow

DEMO

Page 22: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution23

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the

opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for

a particular purpose

Magic Quadrant for Application

Security Testing

Neil MacDonald, Joseph Feiman

July 2, 2013

This Magic Quadrant graphic was published by Gartner, Inc. as

part of a larger research note and should be evaluated in the

context of the entire report. The link to the Gartner report is

available upon request from IBM.

“The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.”

Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST)

Page 23: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution24

Additional Information Documents

EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Apps

https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W

AppScan Source Data Sheet

http://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF

AppScan Standard Data Sheet:

http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF

AppScan Enterprise Data Sheet

ftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF

Posts

2013 Gartner Application Security Testing MQ and the Evolution of Software Security

http://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/

Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST)

http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/

Podcasts

2013 Gartner Magic Quadrant for Application Security Testing

http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing

Application + Threat + Security intelligence = Priceless

http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless

Taking Application Security from the Whiteboard to Reality

http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality

Page 24: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution25

Videos

Overview of IBM Security AppScanhttp://www.youtube.com/watch?v=9R4IjZpKt8I

How College Board is Building Security into Application Developmenthttp://www.youtube.com/watch?v=TtqhlcTnbg8

Building Better, More Secure Applicationshttp://www.youtube.com/watch?v=UcN2uUolgKk

Using Application Security Testing to Increase Deployment Speedhttp://www.youtube.com/watch?v=VImy3ilYUSk

IBM Security AppScan 8.7 for iOS mobile application supporthttp://www.youtube.com/watch?v=I73tbAmJIGw

IBM Security AppScan 8.7 for iOS Applicationshttp://www.youtube.com/watch?v=egnEH-GGQEI

IBM Security AppScan: Analysis Perspectivehttp://www.youtube.com/watch?v=UZD53ZgV848

Page 25: IBM AppScan Source The SAST solution - E-SPIN Group · 2015-08-17 · 2. AppScan Source for Development. Allow Developers to perform Security Scans Plugins supplied for IDE Remediate

IBM AppScan Solution26

Smarter security for a smarter planet