IBM Rational AppScan deployed by SAP AG

IBM SAP International Competence Center

© SAP AG / Wolfram Scheible

“With IBM Rational AppScan we have efficiently automated the process of weak-point analysis.”

Michael Neumaier

Senior Quality Specialist

SAP AG

“IBM Rational AppScan not only helps us to avoid costs related to hacking attacks, but also reduces the manual effort needed for analysis and the costs for testing.”

Michael Neumaier

Senior Quality Specialist

SAP AG

3

IBM Rational AppScan deployed by SAP AG

Customer objectives

• Protectonlineapplicationsbyensuringthat

vulnerabilities are identified and removed before

deployment

• Cutthecostsofremedialactionbyenhancingpre-

release quality

• Increasecustomerconfidenceinthesecurityofonline

applications

• Learnhowtoimproveapplicationdesignforthefuture

IBM solution

• IBMRationalAppScanStandard8.0

About this paper

Expertsestimatethattheglobaldamagecausedbycybercriminalscouldbeasmuchas€100billionayear.Almostassoonas

anynewWebapplicationgoesonline,itisregisteredandanalyzedbyautomatichackertools.Theapplicationsandthedata

behindthemarerarelyprotectedbytechnologiessuchasfirewalls,networkscannersandintrusiondetectionsystems.This

paperlooksatthestepstakenbySAPAGtoprotectitsapplicationsusingIBMRationalAppScan.

Customer benefits

• IBMRationalAppScancoversallofSAP’ssecurity

testrequirementsandhashugelyexpandeditstest

capabilities

• Manualtestingisbeingphasedout,andaregular

processforcheckingandreviewingtestcaseshas

beenimplemented.

• IBMRationalAppScanhasintegratedseamlessly

intoSAP’squalityassuranceprocesses,becauseit

automatesacomponentofexistingworkflowsrather

thanrequiringanoverallprocesschange.

4

Background, starting point and objectives

SAPdevelopersworkonsome190products,withmorethan25

industrysolutionsinover30languages.Approximately500

developersworkinparalleloneachnewsolutionrelease.

SAPhasmovedtoaglobalprocessforsoftwaredevelopment

andrelease,basedonfourbusinessprinciples:

Changing conditions for software development:

• Changedproductportfolio,fromasingleproducttoa

portfolioofdifferentproducts.

• Globalorganizationwithdistributeddevelopmentinmultiple

internationallocations.

Improved communication between customers, partners and SAP:

• Provideonecommonandconsistentapproachtotheroll-in

ofcustomerrequirements.

• Reflectindustryscenarioorientationandfocusoncustomer

businessneeds.

• Ensurealignmentbetweeninternalandexternal

stakeholdersondevelopmentpriorities.

Industrialization of software development & re-use:

• Theserviceorientedarchitecturefostersreuseatvarious

levels.

• Alignedprocessesandorganizationsmustreflectthisre-

use.

Never-ending quality improvement:

• Adaptedprocessesforahighlevelofsoftwarequalityand

optimizedTCO,whileatthesametimereducingtime-to-

market.

• Buildtherightthingstherightway,withplannedqualityalong

theentireproductlifecycle.

Business challenges and project objectives

With more SAP®applicationsbeingdesignedforuseoverthe

Internet,thecompanyhasapressingrequirementtohelpensure

Webapplicationsecurity.FortheSAPteam,itwasimportantto

handletheincreasingvolumeoftestworkwhilemaintainingthe

veryhighqualityoftheresults.

Withmanualtesting,withoutautomation,itwasclearthatthe

workloadcouldeasilybecomeunmanageable,resultingin

increasedcostsandcarryingtheriskofincorrectlytested

softwarebeingbroughttomarket.

Iftheteamcouldautomatemostofthetestingprocedures,this

wouldacceleratethroughputandincreasetestingvalidity.In

turn,ITstaffcouldbereleasedtoworkonmoreimportant

softwaredevelopmentprojects.

Whilesearchingforsuitabletoolstotestitsapplicationspre-

deployment,theSAPteamidentifiedalistofcorerequirements,

including:

• Up-to-datefunctionality,includingabilitytocombatcurrent

attackmethodsandvulnerabilityclasses.

• Qualityofthescanningtechnologyanditsabilitytouncover

securityissues.

• Reliabilityandaccuracyofthefindingsgeneratedbythe

scanner,includingfalse-positivehandling.

• Usabilityandhandlingoftheconfigurationofthescannerfor

verylargesoftwareprojects.

• Displayandfilteringofthefindings,andabilitytointerpret

findingseasily.

• Supportinthedebugging,eliminationorotherresolutionof

identifiedvulnerabilities.

• Extensivereportingfordifferentriskandcompliancereports.

• Positionandstrengthofthevendorinthemarket.

• Levelofinvestmentinfutureresearchanddevelopmentof

thesecuritysolution.

5

Technical solution

TheIBMRationalAppScanproductfamily–selectedforuseby

SAP–examinesWebapplicationsforknownvulnerabilities

duringboththedevelopmentphaseandapplicationoperation.

RationalAppScanoffershighlyautomatedscanningand

analysis,andprovidesreportsincompliancewithnationaland

internationalstandardsatthepushofabutton.TheRational

AppScantoolsalsohelpeducatedevelopersandsecuritystaff,

withintegratede-learningcomponentsdesignedtoensurethat

safepracticesareembeddedincodingrightatthestartof

softwaredevelopmentprograms.

TheSAPteamdeployedIBMRationalAppScanStandardin

IndiaonaMicrosoftWindowsserverwithmultiplelog-onoptions

throughWindowsTerminalServer,andinGermanyona

standarddesktopPCrunningWindows.Forbothsystems,SAP

runsasharedcalendarwherecolleaguescanplantheirtests

andmachineusage,whichallowsmanydifferentpeopletorun

theirtestswithoutconflict.

TheSAPteamwasverysatisfiedwiththesupportandtechnical

expertiseofferedbyIBM.Issueswereprocessedquickly,and

therecommendedsolutionssolvedproblemsrapidly,thanksto

thehighlevelofproductcompetencyofferedbyIBM.

RationalAppScanincludesgraphicalpresentationsofresults

andpowerfulreportgenerationfunctionality,which

demonstrateshowthevulnerabilitiesareactuallyexploitedina

Webbrowser.Thesecapabilitiesarecentraltohelping

developersunderstandwhattheissuesmeaninpractice.The

RationalAppScaninterfaceissopowerfulthatatSAP,

developersareinvitedtoonlinescreen-sharingteleconferences

wheretheycanviewthetestresultsandissuesforthemselves.

Figure1:TheimportantinformationandservicesaccessiblethroughaWeb-facingapplicationhaveattractedanewandfarmore

sophisticatedadversary.Themotivationfortheseattacksischangingandmaturingfromcuriositytofinancialgaintorealespionage.

Thetechniquesthathackersemployarealsoadvancing,makingthemhardertopreventanddetect.Thearrowrepresentsarapidrise

inthelikelyoveralldamageandimpactofattacksonapplicationsasawhole.

Source: IBM Software, Rational, Technical White Paper: Designing a strategy for comprehensive Web protection,

http://public.dhe.ibm.com/common/ssi/ecm/en/raw14246usen/RAW14246USEN.PDF

MotiveDamage/impact to life and property

Adversary

National security

Advanced persistent threat

Cyber warriors

Organized crime, competitors

Hackers, crackers

Insiders

Script kiddies

Sophisticated tools, expertise and substantial resources

Inside information

Substantial time, tools and social engineering

Scripts, tools, web-based how-tos

Industrial espionage

Monetary gain

Revenge

Prestige and thrill

Curiosity

The national security agenda is rising in importance within the context of the cybersecurity discussion

6

About Rational AppScan

TheRationalAppScanproductportfolioprovideswaysto

automateandindustrializetheprotectionofnetworkedandWeb

applicationsthatcollectandexchangesensitivedata.

Essentially,RationalAppScansoftwareextendssecurity

analysis in the application security process and employs

multipletestingtechniquesthatresultinhigher-quality,more

secureapplications.

Therehavebeennumerousdocumentedcasesofcompanies

thatspentmillionsofdollarsrecoveringfromcyber-attacksthat

couldalmostcertainlyhavebeenprevented.Vulnerabilitiesina

productionenvironmentcanbecostlytoremedy,whileRational

AppScanhelpstouncoverandfixflawsduringthedevelopment

process,reducingcostandrisk.

RationalAppScanoffersstaticanddynamicsecuritytestingin

allstagesofapplicationdevelopment.SAPusesRational

AppScanStandardEdition,andthefullproductrangeextendsto

coveravarietyofbusinessneeds:

• AppScanBuildEditionembedsWebapplicationsecurity

testingintothebuildmanagementworkflow.

• AppScanEnterpriseEditionprovidesWebapplication

vulnerabilitytestingandreportingsolutionusedtoscale

securitytesting.

• AppScanExpressEditiondeliversaffordableWeb

applicationsecurityforsmallerorganizations.

• AppScanOnDemandidentifiesandprioritizesWeb

application security vulnerabilities that may be apparent via

theSaaSmodel.

• AppScanOnDemandProductionSiteMonitoringenables

consistentandcontinuousmonitoringforproductionWeb

contentandsitesforvulnerabilitiesviatheSaaSmodel.

AdditionalfunctionalitiesincludeJavaScriptAnalyzer,an

extensionofAppScanStandarddevelopedincollaborationwith

IBMResearch,whichprovidesstatictaintanalysisofJavaScript,

detectingarangeofclient-sidesecurityissues,suchasDOM-

basedCross-siteScripting(XSS)wheremaliciousJavaScript

codeisexecutedintheuser’sbrowserwithoutsanitychecksthat

couldpreventtheattack.

TheroleofJavaScriptinmodernWebapplicationsisbecoming

moreimportantastechnologiessuchasAJAX,HTML5andthe

Dojotoolkitgrowmorecommon.

TheJavaScriptAnalyzermakesAppScanoneofthefirsttools

capableofdetectingarangeofclient-sidesecurityissues.Until

now,theseissueswerethoughttobeverycommon,butwithno

tooltofindthemtherewasnohardevidenceandnowaytobuild

defenses.AppScanisalsoabletoapplybothblackboxand

whiteboxinthesamescan.

7

Proof of validity

TotestthevalidityoftheclaimsforRationalAppScan,SAP

performedanexternalauditandpenetrationtestonDuet®

software.Theteamthencomparedtheresultsofthemanualtest

againsttheautomatedfindingsgeneratedbyRationalAppScan.

Thecomparisonwasdesignedtodetectandreproducethe

vulnerabilitiesdiscoveredbythemanualtest,andhighlightthe

appropriateareasofthesourcecode.

RationalAppScansucceededinlocatingallthevulnerabilities

discoveredmanually,identifiedadditionalconcerns,and

pinpointedthesourcecoderesponsibleinjustafewhours.The

AppScanfindingsarehighlyaccurate,withveryfewfalse

positives,whichsavesagreatdealoftimewhenevaluatingan

application.Theauditreportingandabilitytoprovidefull

traceabilityoferrorsfeaturehighonthelistoftime-andcost-

savingfunctionalities.

AppScanStandardwasintegratedintoSAP’sproduct

developmentprocess,andthepowerfulreportingfunctionalityis

usedtoanalyzeresultsandgeneraterecommendationsfor

developers.

Forexample,afteranapplicationscanwithRationalAppScan,

theteamschedulesaworkshopwiththedevelopmentteam.

RationalAppScangeneratesanapplicationprofilewithSAP-

specificmainissues,aimedatSAPstandardrequirements.

Duringsoftwaredevelopmentitself,thedevelopersthemselves

areresponsiblefortesting.TheSAPITteamprovidesdevelopers

withRationalAppScantestingservices,whichcanbebooked

internally.Forthosedeveloperswhochoosetotestduring

development,theresultsareusedduringthesoftwarevalidation

process.Ifthecoreteamisinvolvedintesting,software

validationcanbecompletedmorequickly,reducingSAP’stime

tomarketwithnewsolutions.

IfRationalAppScanisnotinvolvedduringthesoftware

developmentprocess,developershavetoruntheirownmanual

testsandprovidedocumentationexplainingwhytheirtestresults

areacceptable.Basedonthosedocuments,thetestingteam

makesitsplanforsoftwarevalidation–usuallyalongerprocess

thanwhereproductshaveinvolvedRationalAppScanatanearly

stage.

WiththereducedtestingtimeandeffortthatusingRational

AppScanprovides,SAPisabletodevelopmoreWeb

applicationsmorequickly,andbringthemtomarket.Asaresult

ofthesebenefits,SAPpurchasedadditionalRationalAppScan

licenses,expandingitsfootprinttoeightusersintotal,inIndia,

IsraelandGermany.

8

Business benefits

Inthefuture,combinationsofdynamicandstaticanalyses

presentnewpossibilitiesforSAP.Thishybridanalysisis

completedusingtheJavaScriptAnalyzer.Duringatest,boththe

blackboxtests(thenormalHTTPtestsprovidedbyAppScan

StandardEdition)andwhiteboxtests(viastaticanalysisofthe

JavaScriptcodebytheJSAcomponent)arerun.

Theblackboxandwhiteboxtestresultsarecorrelatedthrough

theReportingConsole.Thecorrelationhighlightsspecificweak

points,identifiedbybothscanningtechnologies.Suchdouble-

weaknessescanbeconsideredtobeagenuinerisk,tobefixed

asrapidlyaspossible.Underthepreviousmanualtesting

processes,theSAPteamknewthatits60orsotestcase

descriptionsdidnotcoverallrequirements.Manualtestingis

beingphasedout,andaregularprocessforcheckingand

reviewingtestcaseshasbeenimplemented.WithRational

AppScan,theSAPteamnowhasasignificantlyhigherdegreeof

testcoverage.

Productcomplexityaffectsthetestingprocesses,whichcanbe

fractionsofasecondorseveralminutesforeachURL.Rational

AppScancanalsotestbystartingwithaninitialURLandthen

testallthepagesthatcanbereached,somewhatinthemanner

ofasearchenginecrawlinglinkedWebpages.Thetoolsinclude

theabilitytoexcludeorincludecertainpages,directoriesor

areasofawebsite,andsinglepagescanbespecifiedfortest.

Toacceleratetesting,theIBMteamimplementedanadaptive

approach:iftestfailuresexceedpre-setlimits,thetestsequence

ishalted.Thismethodreducesthetimespendontestruns,

acceleratingtotalthroughputandincreasingefficiency.

RationalAppScanhasintegratedseamlesslyintoSAP’s

processes,asitautomatesacomponentofexistingworkflows

ratherthanrequiringchange.Frominitialadoption,usagehas

explodedasthebenefitshavebecomeclear,particularlysince

thenumberofWebapplicationsisgrowingcontinuously.

“IBM Rational AppScan has a hugely positive impact on educating our developers with respect to avoiding vulnerabilities in Web applications.”

Michael Neumaier

Senior Quality Specialist

SAP AG

10

11

SAP,DuetandallSAPlogosaretrademarksorregistered

trademarksofSAPAGinGermanyandinseveralother

countries.

All other product and service names mentioned are the

trademarksoftheirrespectivecompanies.

SAPForward-lookingStatement

Any statements contained in this document that are not historical

factsareforward-lookingstatementsasdefinedintheU.S.

PrivateSecuritiesLitigationReformActof1995.Wordssuchas

“anticipate,”“believe,”“estimate,”“expect,”“forecast,”“intend,”

“may,”“plan,”“project,”“predict,”“should”and“will”andsimilar

expressions as they relate to SAP are intended to identify such

forward-lookingstatements.SAPundertakesnoobligationto

publiclyupdateorreviseanyforward-lookingstatements.All

forward-lookingstatementsaresubjecttovariousrisksand

uncertainties that could cause actual results to differ materially

fromexpectationsThefactorsthatcouldaffectSAP’sfuture

financialresultsarediscussedmorefullyinSAP’sfilingswiththe

U.S.SecuritiesandExchangeCommission(“SEC”),including

SAP’smostrecentAnnualReportonForm20-Ffiledwiththe

SEC.Readersarecautionednottoplaceunduerelianceon

theseforward-lookingstatements,whichspeakonlyasoftheir

dates.

Formoreinformation:

TolearnmoreaboutthesolutionsfromIBM

andSAP,visit:ibm-sap.com

FormoreinformationaboutSAPproductsand

services,contactanSAPrepresentativeor

visit:sap.com

FormoreinformationaboutIBMproductsand

services,contactanIBMrepresentativeor

visit:ibm.com

Contacts:

IBM

StephanRosche

(stephan.rosche@de.ibm.com)

ForfurtherquestionspleasecontacttheIBM

SAPInternationalCompetencyCentervia

isicc@de.ibm.com

SPC03379-DEEN-00

©CopyrightIBMCorp.2011AllRightsReserved.

IBMDeutschlandGmbH D-70548Stuttgart ibm.com

Produced in Germany December2011 IBM,theIBMlogo,ibm.com,i5/OS,DB2,Domino,FlashCopy,Lotus,Notes,POWER,POWER4,POWER5,POWER6,Systemi,Systemx,andTivoliaretrademarksofInternationalBusinessMachinesCorporationintheUnitedStates,othercountries,orboth.IftheseandotherIBMtrademarkedtermsaremarkedontheirfirstoccurrenceinthisinformationwithatrademarksymbol(®or™),thesesymbolsindicateU.S.registeredorcommonlawtrademarksownedbyIBMatthetimethisinformationwaspublished.Suchtrademarksmayalsoberegisteredorcommonlawtrademarksinothercountries.AcurrentlistofotherIBMtrademarksisavailableontheWebat:http://www.ibm.com/legal/copytrade.shtml

UNIXisaregisteredtrademarkofTheOpenGroupintheUnitedStatesandothercountries.LinuxisatrademarkofLinusTorvaldsintheUnitedStates,othercountries,orboth.Microsoft,Windows,WindowsNT,andtheWindowslogoaretrademarksofMicrosoftCorporationintheUnitedStates,othercountries,orboth.Othercompany,productorservicenamesmaybetrademarks,orservicemarksofothers.

ThisbrochureillustrateshowIBMcustomersmaybeusingIBMand/orIBMBusinessPartnertechnologies/services.Manyfactorshavecontributedtotheresultsandbenefitsdescribed.IBMdoesnotguaranteecomparableresults.Allinformationcontainedhereinwasprovidedbythefeaturedcustomer/sand/orIBMBusinessPartner/s.IBMdoesnotattesttoitsaccuracy.All customerexamplescitedrepresenthowsomecustomershaveusedIBMproductsandtheresultstheymayhaveachieved.Actualenvironmental costs and performance characteristicswillvarydependingonindividualcustomerconfigurationsandconditions.

Thispublicationisforgeneralguidanceonly.Photographsmayshowdesignmodels.