ibm appscan source - the sast solution

Download IBM AppScan Source - The SAST solution

Post on 23-Jul-2015

138 views

Category:

Software

2 download

Embed Size (px)

TRANSCRIPT

  • IBM AppScan SourceThe SAST solutionVu Xuan Thuc Mobile Enterprise divisionVietsoftware International

  • IBM AppScan Solution2 Vietsoftware International Inc.

    Agenda

    Understanding what AppScan Source is

    AppScan Source components

    Deployment models

    Features and Tooling

    Workflow

    DEMO

  • IBM AppScan Solution3 Vietsoftware International Inc.

    Understanding what AppScan Source is

    AppScan Source is a static application security testing (SAST) solution.

    Scans application source code for security vulnerabilities: SQL injection, command injection, cross-site scripting, buffer

    overflow

    These vulnerabilities are exploitable weaknesses in code that lead to:

    1. Loss of reputation2. Loss of money3. A breach or an exposure of sensitive information4. Business noncompliance

    AppScan Source enables organizations to proactively identify and mitigate security risk.

  • IBM AppScan Solution5 Vietsoftware International Inc.

    AppScan Source components

    Source for Analysis, Source for Development, Source

    for Remediation, Source for Automation

    1. AppScan Source for Automation

    Allow Build Teams to execute Scans at Build time

    Command line tooling and build tools allow for ease of

    automation

    Assessment Publishing and Reporting directly from

    Automation

  • IBM AppScan Solution6 Vietsoftware International Inc.

    AppScan Source components (Cont.)

    2. AppScan Source for Development

    Allow Developers to perform Security Scans

    Plugins supplied for IDE

    Remediate Vulnerabilities

    3. AppScan Source for Analysis

    Allow Security Analysts to Configure Applications for SAST Scanning, Optimize Scan Configuration to Focus on

    Vulnerable Source Code

    Analyze, isolate, and take action on priority vulnerabilities. Provides security analysts, QA managers, and

    development managers with fast time-to-results.

  • IBM AppScan Solution7 Vietsoftware International Inc.

    AppScan Source components (Cont.)

    AppScan Source Database An out-of-the-box database that persists the AppScan

    Source Security Knowledgebase data, assessment

    data, and application/project inventory.

    AppScan Source command line interface (CLI) client Provides command line access to various AppScan

    Source functions to enable integration, automation, and

    scripting.

    Plugins for Make, Ant, and Maven allow the configuration process to be

    automated

  • IBM AppScan Solution8 Vietsoftware International Inc.

    AppScan Source Edition Products vs Roles

  • IBM AppScan Solution9 Vietsoftware International Inc.

    Agenda

    Understanding what AppScan Source is

    AppScan Source components

    Deployment models

    Features and Tooling

    Workflow

    DEMO

  • IBM AppScan Solution10 Vietsoftware International Inc.

    Standard desktop deployment

  • IBM AppScan Solution11 Vietsoftware International Inc.

    Standard desktop deployment (Cont.)

    Used in small organization, for a security analyst/auditor who performs security

    assessments

    No defect tracking system integration or build integration

    Using the AppScan Source administrative account, and no LDAP Directory Server

    integration

  • IBM AppScan Solution12 Vietsoftware International Inc.

    Small workgroup deployment

  • IBM AppScan Solution13 Vietsoftware International Inc.

    Small workgroup deployment (Cont.)

    Used in small to moderate organization

    Dedicated to different roles: Administrator, Manager, Security Analyst, Developer

    Build Automation server integration

  • IBM AppScan Solution14 Vietsoftware International Inc.

    Enterprise workgroup deployment

  • IBM AppScan Solution15 Vietsoftware International Inc.

    Enterprise workgroup deployment (Cont.)

    Integrate with Defect tracking system

    Authentication with LDAP integration

  • IBM AppScan Solution16 Vietsoftware International Inc.

    Agenda

    Understanding what AppScan Source is

    AppScan Source components

    Deployment models

    Features and Tooling

    Workflow

    DEMO

  • IBM AppScan Solution17 Vietsoftware International Inc.

    AppScan Source Features and Tooling

    Configuration perspective:

    - Import existing applications from IDEs

    - Configure AppScan Source applications and projects

    - Scan code

    - Create and manage applications, projects, andattributes

    Triage perspective:

    - View scan results to prioritize remediation workflow

    - Organize findings

    - Filter findings

    - Promote, demote, and dispatch findings forremediation

    Analysis perspective:

    - Drill down to individual findings

    - Track data flow visually though the source code (trace)

    - Access contextual remediation assistance

    - Generate Reports

  • IBM AppScan Solution18 Vietsoftware International Inc.

    Agenda

    Understanding what AppScan Source is

    AppScan Source components

    Deployment models

    Features and Tooling

    Workflow

    DEMO

  • IBM AppScan Solution19 Vietsoftware International Inc.

    Continuous Improvement Environment

    CONFIGURE

    TRIAGE

    ASSIGNREMEDIATE

    AppScan Source

    For Analysis

    For Development

    For Automation

    AppScan Enterprise

    AppScan Source

    For Remediation

    For Development

    REPORT

    High-confidence findings

    >>

    > > > > >

    AppScan Source

    For Analysis

    AppScan Source

    For Analysis

    SCAN

  • IBM AppScan Solution20 Vietsoftware International Inc.

    Receive a source code archive

    Extract code and import into

    AppScan Source

    Scan, resolve compilation issues

    (often many)

    Triage scan results

    Export or write report

    Deliver Report

    Begin again with a new application

    Security Analyst Workflow

    Security Professionals using AppScan Source for Security:

    Total time: 2-3 weeks / application

    Applications are scanned once per year or less

    Minimal carry-over for subsequent scans

  • IBM AppScan Solution21 Vietsoftware International Inc.

    Click scan

    Wait for scan to complete

    Triage scan results

    Resolve vulnerabilities

    Check code into central

    repository

    Developer Workflow

    Any developer using AppScan Source for Development:

    Total Time: - 1 day

    Developers cannot develop while scanning (can take hours)

    Developers are not security experts

    Scan workflow interrupts agile workflows

  • IBM AppScan Solution22 Vietsoftware International Inc.

    Agenda

    Understanding what AppScan Source is

    AppScan Source components

    Deployment models

    Features and Tooling

    Workflow

    DEMO

  • IBM AppScan Solution23 Vietsoftware International Inc.

    Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the

    opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for

    a particular purpose

    Magic Quadrant for Application

    Security Testing

    Neil MacDonald, Joseph Feiman

    July 2, 2013

    This Magic Quadrant graphic was published by Gartner, Inc. as

    part of a larger research note and should be evaluated in the

    context of the entire report. The link to the Gartner report is

    available upon request from IBM.

    The market for application security testing is changing rapidly. Technology

    trends, such as mobile applications,

    advanced Web applications and

    dynamic languages, are forcing the need

    to combine dynamic and static testing

    capabilities, which is reshaping the

    overall market.

    Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST)

  • IBM AppScan Solution24 Vietsoftware International Inc.

    Additional Information Documents

    EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Apps

    https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W

    AppScan Source Data Sheet

    http://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF

    AppScan Standard Data Sheet:

    http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF

    AppScan Enterprise Data Sheet

    ftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF

    Posts

    2013 Gartner Application Security Testing MQ and the Evolution of Software Security

    http://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/

    Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST)

    http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/

    Podcasts

    2013 Gartner Magic Quadrant for Application Security Testing

    http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing

    Application + Threat + Security intelligence = Priceless

    http://www.blogtalkradio.com/calebbarlow/

Recommended

View more >