ibm rational appscan deployed by sap ag · us to avoid costs related to hacking attacks, but also...
TRANSCRIPT
IBM Rational AppScan deployed by SAP AG
IBM SAP International Competence Center
© SAP AG / Wolfram Scheible
“With IBM Rational AppScan we have efficiently automated the process of weak-point analysis.”
Michael Neumaier
Senior Quality Specialist
SAP AG
“IBM Rational AppScan not only helps us to avoid costs related to hacking attacks, but also reduces the manual effort needed for analysis and the costs for testing.”
Michael Neumaier
Senior Quality Specialist
SAP AG
3
IBM Rational AppScan deployed by SAP AG
Customer objectives
• Protectonlineapplicationsbyensuringthat
vulnerabilities are identified and removed before
deployment
• Cutthecostsofremedialactionbyenhancingpre-
release quality
• Increasecustomerconfidenceinthesecurityofonline
applications
• Learnhowtoimproveapplicationdesignforthefuture
IBM solution
• IBMRationalAppScanStandard8.0
About this paper
Expertsestimatethattheglobaldamagecausedbycybercriminalscouldbeasmuchas€100billionayear.Almostassoonas
anynewWebapplicationgoesonline,itisregisteredandanalyzedbyautomatichackertools.Theapplicationsandthedata
behindthemarerarelyprotectedbytechnologiessuchasfirewalls,networkscannersandintrusiondetectionsystems.This
paperlooksatthestepstakenbySAPAGtoprotectitsapplicationsusingIBMRationalAppScan.
Customer benefits
• IBMRationalAppScancoversallofSAP’ssecurity
testrequirementsandhashugelyexpandeditstest
capabilities
• Manualtestingisbeingphasedout,andaregular
processforcheckingandreviewingtestcaseshas
beenimplemented.
• IBMRationalAppScanhasintegratedseamlessly
intoSAP’squalityassuranceprocesses,becauseit
automatesacomponentofexistingworkflowsrather
thanrequiringanoverallprocesschange.
4
Background, starting point and objectives
SAPdevelopersworkonsome190products,withmorethan25
industrysolutionsinover30languages.Approximately500
developersworkinparalleloneachnewsolutionrelease.
SAPhasmovedtoaglobalprocessforsoftwaredevelopment
andrelease,basedonfourbusinessprinciples:
Changing conditions for software development:
• Changedproductportfolio,fromasingleproducttoa
portfolioofdifferentproducts.
• Globalorganizationwithdistributeddevelopmentinmultiple
internationallocations.
Improved communication between customers, partners and SAP:
• Provideonecommonandconsistentapproachtotheroll-in
ofcustomerrequirements.
• Reflectindustryscenarioorientationandfocusoncustomer
businessneeds.
• Ensurealignmentbetweeninternalandexternal
stakeholdersondevelopmentpriorities.
Industrialization of software development & re-use:
• Theserviceorientedarchitecturefostersreuseatvarious
levels.
• Alignedprocessesandorganizationsmustreflectthisre-
use.
Never-ending quality improvement:
• Adaptedprocessesforahighlevelofsoftwarequalityand
optimizedTCO,whileatthesametimereducingtime-to-
market.
• Buildtherightthingstherightway,withplannedqualityalong
theentireproductlifecycle.
Business challenges and project objectives
With more SAP®applicationsbeingdesignedforuseoverthe
Internet,thecompanyhasapressingrequirementtohelpensure
Webapplicationsecurity.FortheSAPteam,itwasimportantto
handletheincreasingvolumeoftestworkwhilemaintainingthe
veryhighqualityoftheresults.
Withmanualtesting,withoutautomation,itwasclearthatthe
workloadcouldeasilybecomeunmanageable,resultingin
increasedcostsandcarryingtheriskofincorrectlytested
softwarebeingbroughttomarket.
Iftheteamcouldautomatemostofthetestingprocedures,this
wouldacceleratethroughputandincreasetestingvalidity.In
turn,ITstaffcouldbereleasedtoworkonmoreimportant
softwaredevelopmentprojects.
Whilesearchingforsuitabletoolstotestitsapplicationspre-
deployment,theSAPteamidentifiedalistofcorerequirements,
including:
• Up-to-datefunctionality,includingabilitytocombatcurrent
attackmethodsandvulnerabilityclasses.
• Qualityofthescanningtechnologyanditsabilitytouncover
securityissues.
• Reliabilityandaccuracyofthefindingsgeneratedbythe
scanner,includingfalse-positivehandling.
• Usabilityandhandlingoftheconfigurationofthescannerfor
verylargesoftwareprojects.
• Displayandfilteringofthefindings,andabilitytointerpret
findingseasily.
• Supportinthedebugging,eliminationorotherresolutionof
identifiedvulnerabilities.
• Extensivereportingfordifferentriskandcompliancereports.
• Positionandstrengthofthevendorinthemarket.
• Levelofinvestmentinfutureresearchanddevelopmentof
thesecuritysolution.
5
Technical solution
TheIBMRationalAppScanproductfamily–selectedforuseby
SAP–examinesWebapplicationsforknownvulnerabilities
duringboththedevelopmentphaseandapplicationoperation.
RationalAppScanoffershighlyautomatedscanningand
analysis,andprovidesreportsincompliancewithnationaland
internationalstandardsatthepushofabutton.TheRational
AppScantoolsalsohelpeducatedevelopersandsecuritystaff,
withintegratede-learningcomponentsdesignedtoensurethat
safepracticesareembeddedincodingrightatthestartof
softwaredevelopmentprograms.
TheSAPteamdeployedIBMRationalAppScanStandardin
IndiaonaMicrosoftWindowsserverwithmultiplelog-onoptions
throughWindowsTerminalServer,andinGermanyona
standarddesktopPCrunningWindows.Forbothsystems,SAP
runsasharedcalendarwherecolleaguescanplantheirtests
andmachineusage,whichallowsmanydifferentpeopletorun
theirtestswithoutconflict.
TheSAPteamwasverysatisfiedwiththesupportandtechnical
expertiseofferedbyIBM.Issueswereprocessedquickly,and
therecommendedsolutionssolvedproblemsrapidly,thanksto
thehighlevelofproductcompetencyofferedbyIBM.
RationalAppScanincludesgraphicalpresentationsofresults
andpowerfulreportgenerationfunctionality,which
demonstrateshowthevulnerabilitiesareactuallyexploitedina
Webbrowser.Thesecapabilitiesarecentraltohelping
developersunderstandwhattheissuesmeaninpractice.The
RationalAppScaninterfaceissopowerfulthatatSAP,
developersareinvitedtoonlinescreen-sharingteleconferences
wheretheycanviewthetestresultsandissuesforthemselves.
Figure1:TheimportantinformationandservicesaccessiblethroughaWeb-facingapplicationhaveattractedanewandfarmore
sophisticatedadversary.Themotivationfortheseattacksischangingandmaturingfromcuriositytofinancialgaintorealespionage.
Thetechniquesthathackersemployarealsoadvancing,makingthemhardertopreventanddetect.Thearrowrepresentsarapidrise
inthelikelyoveralldamageandimpactofattacksonapplicationsasawhole.
Source: IBM Software, Rational, Technical White Paper: Designing a strategy for comprehensive Web protection,
http://public.dhe.ibm.com/common/ssi/ecm/en/raw14246usen/RAW14246USEN.PDF
MotiveDamage/impact to life and property
Adversary
National security
Advanced persistent threat
Cyber warriors
Organized crime, competitors
Hackers, crackers
Insiders
Script kiddies
Sophisticated tools, expertise and substantial resources
Inside information
Substantial time, tools and social engineering
Scripts, tools, web-based how-tos
Industrial espionage
Monetary gain
Revenge
Prestige and thrill
Curiosity
The national security agenda is rising in importance within the context of the cybersecurity discussion
6
About Rational AppScan
TheRationalAppScanproductportfolioprovideswaysto
automateandindustrializetheprotectionofnetworkedandWeb
applicationsthatcollectandexchangesensitivedata.
Essentially,RationalAppScansoftwareextendssecurity
analysis in the application security process and employs
multipletestingtechniquesthatresultinhigher-quality,more
secureapplications.
Therehavebeennumerousdocumentedcasesofcompanies
thatspentmillionsofdollarsrecoveringfromcyber-attacksthat
couldalmostcertainlyhavebeenprevented.Vulnerabilitiesina
productionenvironmentcanbecostlytoremedy,whileRational
AppScanhelpstouncoverandfixflawsduringthedevelopment
process,reducingcostandrisk.
RationalAppScanoffersstaticanddynamicsecuritytestingin
allstagesofapplicationdevelopment.SAPusesRational
AppScanStandardEdition,andthefullproductrangeextendsto
coveravarietyofbusinessneeds:
• AppScanBuildEditionembedsWebapplicationsecurity
testingintothebuildmanagementworkflow.
• AppScanEnterpriseEditionprovidesWebapplication
vulnerabilitytestingandreportingsolutionusedtoscale
securitytesting.
• AppScanExpressEditiondeliversaffordableWeb
applicationsecurityforsmallerorganizations.
• AppScanOnDemandidentifiesandprioritizesWeb
application security vulnerabilities that may be apparent via
theSaaSmodel.
• AppScanOnDemandProductionSiteMonitoringenables
consistentandcontinuousmonitoringforproductionWeb
contentandsitesforvulnerabilitiesviatheSaaSmodel.
AdditionalfunctionalitiesincludeJavaScriptAnalyzer,an
extensionofAppScanStandarddevelopedincollaborationwith
IBMResearch,whichprovidesstatictaintanalysisofJavaScript,
detectingarangeofclient-sidesecurityissues,suchasDOM-
basedCross-siteScripting(XSS)wheremaliciousJavaScript
codeisexecutedintheuser’sbrowserwithoutsanitychecksthat
couldpreventtheattack.
TheroleofJavaScriptinmodernWebapplicationsisbecoming
moreimportantastechnologiessuchasAJAX,HTML5andthe
Dojotoolkitgrowmorecommon.
TheJavaScriptAnalyzermakesAppScanoneofthefirsttools
capableofdetectingarangeofclient-sidesecurityissues.Until
now,theseissueswerethoughttobeverycommon,butwithno
tooltofindthemtherewasnohardevidenceandnowaytobuild
defenses.AppScanisalsoabletoapplybothblackboxand
whiteboxinthesamescan.
7
Proof of validity
TotestthevalidityoftheclaimsforRationalAppScan,SAP
performedanexternalauditandpenetrationtestonDuet®
software.Theteamthencomparedtheresultsofthemanualtest
againsttheautomatedfindingsgeneratedbyRationalAppScan.
Thecomparisonwasdesignedtodetectandreproducethe
vulnerabilitiesdiscoveredbythemanualtest,andhighlightthe
appropriateareasofthesourcecode.
RationalAppScansucceededinlocatingallthevulnerabilities
discoveredmanually,identifiedadditionalconcerns,and
pinpointedthesourcecoderesponsibleinjustafewhours.The
AppScanfindingsarehighlyaccurate,withveryfewfalse
positives,whichsavesagreatdealoftimewhenevaluatingan
application.Theauditreportingandabilitytoprovidefull
traceabilityoferrorsfeaturehighonthelistoftime-andcost-
savingfunctionalities.
AppScanStandardwasintegratedintoSAP’sproduct
developmentprocess,andthepowerfulreportingfunctionalityis
usedtoanalyzeresultsandgeneraterecommendationsfor
developers.
Forexample,afteranapplicationscanwithRationalAppScan,
theteamschedulesaworkshopwiththedevelopmentteam.
RationalAppScangeneratesanapplicationprofilewithSAP-
specificmainissues,aimedatSAPstandardrequirements.
Duringsoftwaredevelopmentitself,thedevelopersthemselves
areresponsiblefortesting.TheSAPITteamprovidesdevelopers
withRationalAppScantestingservices,whichcanbebooked
internally.Forthosedeveloperswhochoosetotestduring
development,theresultsareusedduringthesoftwarevalidation
process.Ifthecoreteamisinvolvedintesting,software
validationcanbecompletedmorequickly,reducingSAP’stime
tomarketwithnewsolutions.
IfRationalAppScanisnotinvolvedduringthesoftware
developmentprocess,developershavetoruntheirownmanual
testsandprovidedocumentationexplainingwhytheirtestresults
areacceptable.Basedonthosedocuments,thetestingteam
makesitsplanforsoftwarevalidation–usuallyalongerprocess
thanwhereproductshaveinvolvedRationalAppScanatanearly
stage.
WiththereducedtestingtimeandeffortthatusingRational
AppScanprovides,SAPisabletodevelopmoreWeb
applicationsmorequickly,andbringthemtomarket.Asaresult
ofthesebenefits,SAPpurchasedadditionalRationalAppScan
licenses,expandingitsfootprinttoeightusersintotal,inIndia,
IsraelandGermany.
8
Business benefits
Inthefuture,combinationsofdynamicandstaticanalyses
presentnewpossibilitiesforSAP.Thishybridanalysisis
completedusingtheJavaScriptAnalyzer.Duringatest,boththe
blackboxtests(thenormalHTTPtestsprovidedbyAppScan
StandardEdition)andwhiteboxtests(viastaticanalysisofthe
JavaScriptcodebytheJSAcomponent)arerun.
Theblackboxandwhiteboxtestresultsarecorrelatedthrough
theReportingConsole.Thecorrelationhighlightsspecificweak
points,identifiedbybothscanningtechnologies.Suchdouble-
weaknessescanbeconsideredtobeagenuinerisk,tobefixed
asrapidlyaspossible.Underthepreviousmanualtesting
processes,theSAPteamknewthatits60orsotestcase
descriptionsdidnotcoverallrequirements.Manualtestingis
beingphasedout,andaregularprocessforcheckingand
reviewingtestcaseshasbeenimplemented.WithRational
AppScan,theSAPteamnowhasasignificantlyhigherdegreeof
testcoverage.
Productcomplexityaffectsthetestingprocesses,whichcanbe
fractionsofasecondorseveralminutesforeachURL.Rational
AppScancanalsotestbystartingwithaninitialURLandthen
testallthepagesthatcanbereached,somewhatinthemanner
ofasearchenginecrawlinglinkedWebpages.Thetoolsinclude
theabilitytoexcludeorincludecertainpages,directoriesor
areasofawebsite,andsinglepagescanbespecifiedfortest.
Toacceleratetesting,theIBMteamimplementedanadaptive
approach:iftestfailuresexceedpre-setlimits,thetestsequence
ishalted.Thismethodreducesthetimespendontestruns,
acceleratingtotalthroughputandincreasingefficiency.
RationalAppScanhasintegratedseamlesslyintoSAP’s
processes,asitautomatesacomponentofexistingworkflows
ratherthanrequiringchange.Frominitialadoption,usagehas
explodedasthebenefitshavebecomeclear,particularlysince
thenumberofWebapplicationsisgrowingcontinuously.
“IBM Rational AppScan has a hugely positive impact on educating our developers with respect to avoiding vulnerabilities in Web applications.”
Michael Neumaier
Senior Quality Specialist
SAP AG
10
11
SAP,DuetandallSAPlogosaretrademarksorregistered
trademarksofSAPAGinGermanyandinseveralother
countries.
All other product and service names mentioned are the
trademarksoftheirrespectivecompanies.
SAPForward-lookingStatement
Any statements contained in this document that are not historical
factsareforward-lookingstatementsasdefinedintheU.S.
PrivateSecuritiesLitigationReformActof1995.Wordssuchas
“anticipate,”“believe,”“estimate,”“expect,”“forecast,”“intend,”
“may,”“plan,”“project,”“predict,”“should”and“will”andsimilar
expressions as they relate to SAP are intended to identify such
forward-lookingstatements.SAPundertakesnoobligationto
publiclyupdateorreviseanyforward-lookingstatements.All
forward-lookingstatementsaresubjecttovariousrisksand
uncertainties that could cause actual results to differ materially
fromexpectationsThefactorsthatcouldaffectSAP’sfuture
financialresultsarediscussedmorefullyinSAP’sfilingswiththe
U.S.SecuritiesandExchangeCommission(“SEC”),including
SAP’smostrecentAnnualReportonForm20-Ffiledwiththe
SEC.Readersarecautionednottoplaceunduerelianceon
theseforward-lookingstatements,whichspeakonlyasoftheir
dates.
Formoreinformation:
TolearnmoreaboutthesolutionsfromIBM
andSAP,visit:ibm-sap.com
FormoreinformationaboutSAPproductsand
services,contactanSAPrepresentativeor
visit:sap.com
FormoreinformationaboutIBMproductsand
services,contactanIBMrepresentativeor
visit:ibm.com
Contacts:
IBM
StephanRosche
ForfurtherquestionspleasecontacttheIBM
SAPInternationalCompetencyCentervia
SPC03379-DEEN-00
©CopyrightIBMCorp.2011AllRightsReserved.
IBMDeutschlandGmbH D-70548Stuttgart ibm.com
Produced in Germany December2011 IBM,theIBMlogo,ibm.com,i5/OS,DB2,Domino,FlashCopy,Lotus,Notes,POWER,POWER4,POWER5,POWER6,Systemi,Systemx,andTivoliaretrademarksofInternationalBusinessMachinesCorporationintheUnitedStates,othercountries,orboth.IftheseandotherIBMtrademarkedtermsaremarkedontheirfirstoccurrenceinthisinformationwithatrademarksymbol(®or™),thesesymbolsindicateU.S.registeredorcommonlawtrademarksownedbyIBMatthetimethisinformationwaspublished.Suchtrademarksmayalsoberegisteredorcommonlawtrademarksinothercountries.AcurrentlistofotherIBMtrademarksisavailableontheWebat:http://www.ibm.com/legal/copytrade.shtml
UNIXisaregisteredtrademarkofTheOpenGroupintheUnitedStatesandothercountries.LinuxisatrademarkofLinusTorvaldsintheUnitedStates,othercountries,orboth.Microsoft,Windows,WindowsNT,andtheWindowslogoaretrademarksofMicrosoftCorporationintheUnitedStates,othercountries,orboth.Othercompany,productorservicenamesmaybetrademarks,orservicemarksofothers.
ThisbrochureillustrateshowIBMcustomersmaybeusingIBMand/orIBMBusinessPartnertechnologies/services.Manyfactorshavecontributedtotheresultsandbenefitsdescribed.IBMdoesnotguaranteecomparableresults.Allinformationcontainedhereinwasprovidedbythefeaturedcustomer/sand/orIBMBusinessPartner/s.IBMdoesnotattesttoitsaccuracy.All customerexamplescitedrepresenthowsomecustomershaveusedIBMproductsandtheresultstheymayhaveachieved.Actualenvironmental costs and performance characteristicswillvarydependingonindividualcustomerconfigurationsandconditions.
Thispublicationisforgeneralguidanceonly.Photographsmayshowdesignmodels.