IBM SoftwareApplication security

November 2011

IBM Rational AppScanStandard EditionIdentify and remediate web application vulnerabilitiesto help enhance security

Highlights● Simplify remediation by identifying

vulnerabilities and generating results

through comprehensive scanning

coverage

● Scan complex web applications

including those that utilize Adobe Flash,

JavaScript, AJAX and SOAP web

services

● Combine the advanced dynamic and

innovative hybrid analysis of glass box

testing (runtime analysis) with static taint

analysis for superior accuracy

● Identify the latest threats including full

coverage of the OWASP Top 10 web

application vulnerabilities

● Manage regulatory requirements such

as PCI, GLBA and HIPAA

Detecting web application vulnerabilities andprotecting sensitive dataToday, most enterprises depend on web-based software and systems torun their business processes, conduct transactions with suppliers anddeliver sophisticated services to customers. Unfortunately, in the race tostay one step ahead of the competition, many organizations spend little tono effort to ensure that these applications are secure. Web-based systemscan compromise the overall security of an organization by introducingvulnerabilities that hackers can use to gain access to confidential companyinformation or customer data.

IBM offers the IBM® Rational® AppScan® portfolio of solutions thatcan help enterprises address web application vulnerabilities using a“secure by design” approach. This approach embeds security testing intothe software development life cycle, providing you the tools you need todevelop secure code.

Designed for security teams to test and audit web applications in develop-ment and production, Rational AppScan Standard Edition software scansand tests for the latest threats with a desktop solution that offers:

● Broad coverage of emerging threats including Web 2.0 application vulnerabilities

● Advanced dynamic application security testing (DAST), also known asblack box analysis

● Glass box testing, also known as runtime analysis or integrated application security testing (IAST)

● JavaScript Security Analyzer for static taint analysis of client-side security issues

2

IBM SoftwareApplication security

November 2011

● Customizable product extensions for greater control over webvulnerability testing

● Ease-of-use to automate security testing● Explanations of all identified issues and remediation guidance● More than 40 out of the box compliance reports

Realizing cost savings using accurate,automated scanningRational AppScan Standard Edition software can help signifi-cantly reduce the costs associated with manual vulnerabilitytesting. Whether you outsource your vulnerability testing orperform it manually in-house, Rational AppScan StandardEdition software can help reduce the time needed to perform acomprehensive vulnerability assessment of your applications.

This can help you evaluate your web security posture on anongoing basis, as opposed to quarterly or yearly audits, to helpenhance security levels and reduce costs.

The patented Rational AppScan Standard Edition softwarescanning engine is designed to provide high levels of scan accuracy and limit false positives. To further improve accuracyand performance, it includes an adaptive test process that intelligently mimics human logic to adapt the testing phase toindividual applications. Rational AppScan Standard Editionsoftware learns the application, down to the level of each specific parameter and adjusts to perform only the tests that arerelevant. To help ensure protection from the latest threats,Rational AppScan Standard Edition software checks for attackrule updates from the IBM team of security research expertseach time the software is launched.

Figure 1: IBM Rational AppScan Standard Edition software can help users quickly identify, understand and fix critical web vulnerabilities.

3

IBM Software November 2011Application security

Providing quick results with featuresdesigned for ease of useNot everyone is a security expert. Rational AppScan StandardEdition software integrates many ease-of-use features to helpmake web vulnerability scanning easier for those who aren’t.

● The scan configuration wizard guides each user to setup aninitial scan by prompting for basic information such as a starting URL or IP address, querying which type of scanningprofile should be used and soliciting any required login information.

● The scan expert feature performs a settings check and makesany final modification such as turning on JavaScript or AdobeFlash parsing and execution, to support environments usingclient-side logic.

● After the scan configuration is done, Rational AppScan software explores the application, extracts information aboutweb pages, HTML forms, parameters, cookies and so on.This information is later used to build thousands of test cases.

● Rational AppScan Standard Edition software then begins thetest phase and returns vulnerability results and remediationrecommendations. The results offer helpful tips and screen-shots to clearly illustrate each issue.

To increase the security knowledge of your organization,IBM offers web-based training modules that cover a variety of security topics.

Streamlining remediation with prioritizedresults and fix recommendationsOne of the most critical aspects of web vulnerability scanning isthe quick remediation of issues. Rational AppScan StandardEdition software provides a fully prioritized list of the vulnera-bilities found with each scan, which enables high-priority problems to be fixed first, helping organizations focus on whatmatters the most from a security perspective. Each vulnerabilityresult includes a full description of how the vulnerability worksand the potential causes. When deploying glass box scanning

(runtime analysis) agents during a scan, AppScan StandardEdition software reports the actual location in the application’scode where the vulnerability took place, such as the name of theJava class and the vulnerable line number. Integrated web-basedtraining provides short training modules directly from the userinterface. The remediation view then explains the steps requiredto remediate the issue, including examples of both secure andinsecure code. To assign and manage remediation, results can be integrated into defect tracking systems, such asIBM Rational ClearQuest® software and HP Quality Center.

Figure 2: AppScan Standard Edition software includes detailed explanations

of vulnerabilities with guidance on remediation.

4

IBM Software November 2011Application security

Managing compliance and gaininginsight into key security issuesMany enterprises face key compliance demands for their webapplications and Rational AppScan Standard Edition softwarecan help organizations manage these critical compliancerequirements such as Payment Card Industry Data SecurityStandard (PCI DSS) by providing a way to support an ongoinglevel of application security.

Rational AppScan Standard Edition software can also producecustom security reports and has the ability to select which datapoints should be included in each report. Users can also choosefrom more than 40 predefined reports and map scan results tokey industry and regulatory compliance standards. Theseinclude National Institute of Standards and Technology Special Publication (NIST SP) 800-53 and the Open WebApplication Security Project (OWASP) Top 10, PCI DSS,Sarbanes-Oxley, Gramm-Leach-Bliley Act (GLBA), Health

Insurance Portability and Accountability Act (HIPAA), FamilyEducational Rights and Privacy Act (FERPA), Freedom ofInformation and Protection of Privacy Act (FIPPA) andPayment Application Best Practices (PABP).

For increased insight and visibility, organizations can easily add the IBM Rational AppScan Enterprise server to their exist-ing Rational AppScan Standard Edition software deployment.The Rational AppScan Enterprise server utilizes a scalableenterprise architecture that provides role-based reporting accessand aggregates scan data from multiple instances of RationalAppScan Standard Edition software. By providing in-depth, yeteasy-to-understand dashboards and flexible reporting views, theRational AppScan Enterprise server provides a platform forapplication security testing and risk management. This includes enterprise-wide visibility into risks, continuous updates on remediation progress and integrations with theRational Collaborative Lifecycle Management solution.

Figure 3: AppScan Standard Edition software includes glass box testing with run-time analysis to identify more vulnerabilities, simplify scan configuration and

provide more actionable results by linking proof of exploit with line of code details of the identified issue.

5

IBM Software November 2011Application security

Next generation dynamic analysis withnew glass box testing (runtime analysis)Rational AppScan Standard Edition software offers glass boxtesting, which is a form of integrated application security testing (IAST). Glass box security testing is the latest evolutionof hybrid analysis that combines dynamic (black box) analysis tosimulate security attacks with an internal agent that monitorsapplication behavior during the attack. With glass box testing,Rational AppScan Standard Edition software provides moreaccurate test results and identifies vulnerabilities that traditionaldynamic testing cannot recognize. Through the powerful com-bination of security research and glass box testing, RationalAppScan Standard Edition software delivers full coverage of theOWASP Top 10 vulnerabilities and can identify non-reflectedvulnerabilities, such as command execution, SQL Injection, fileinclusion, LDAP injection, log forging and more.

Glass box testing also helps security teams collaborate withdevelopment organizations by providing precise informationabout vulnerabilities. With glass box testing, Rational AppScanStandard Edition software identifies specific lines of code andprovides details on how the application performs during attackthat helps facilitate remediation. For this reason, leading developments are deploying glass box testing earlier in theirdevelopment cycles for a new level of precise testing not available with traditional dynamic or static analysis.

Introducing hybrid analysis withJavaScript Security AnalyzerThe adoption of Web 2.0 technologies in today’s rich internetapplication expands the role of JavaScript as technologies suchas AJAX, JavaScript Frameworks and HTML5 become morecommon. Most of the web applications make heavy use ofclient-side JavaScript code, which increases the likelihood ofhaving client-side vulnerabilities. A recent research performedby IBM showed that approximately 40 percent of the web applications that were tested had severe client-side vulnerabili-ties1, which require manual code review in order to be detectedby a penetration tester.1

To address these new risks, IBM Rational AppScan StandardEdition software includes JavaScript Security Analyzer (JSA) forstatic taint analysis of JavaScript code. JSA detects a range ofclient-side security issues, such as DOM-based XSS, client-sideopen redirect, client-side SQL injection and many otherHTML5 related security issues. Additionally, Rational AppScansoftware is one of the first scanners that apply DAST and SASTin the same scan for hybrid analysis.

Expanding security coverage to webservices and SOA EnvironmentsBecause web applications are growing in complexity with theintegration of web services in Service-Oriented Architecture(SOA) environments, Rational AppScan Standard Edition software includes robust support for WS-Security v1.1 stan-dards, NET framework-based web services, WS-Addressing,Encrypted Keys, and SOAP messages with MIME and DIME attachments.

Customizing and extending your testingfor greater controlRational AppScan Standard Edition software includes a set ofpowerful customization features for greater control over webvulnerability testing in your environment.

IBM Rational AppScan software development kit (SDK)offers a powerful set of interfaces that enable customizable invocation of each action in Rational AppScan Standard Editionsoftware, from the execution of a long scan to the submission of an individual custom test. This platform enables easy integrations into existing systems, supports advanced customuses of the Rational AppScan engine and provides the founda-tion for the Rational AppScan eXtensions Framework andPyscan scripting.

6

IBM Software November 2011Application security

IBM Rational AppScan eXtensions Framework is a flexibleframework that can help users develop and use add-ons toextend the functionality of Rational AppScan Standard Editionsoftware. The framework helps open up Rational AppScanStandard Edition software, allowing users to customize andenhance existing functionality to fit their own processes, automate in-house activities and receive a large number of additional features and functionality by downloading opensource extensions from the Rational AppScan eXtensions com-munity portal (ibm.com/developerworks/rational/downloads/

08/appscan_ext_framework)

The Pyscan web application security testing platform isbuilt on Rational AppScan software and the Python scriptinglanguage. It can help an auditor better utilize Rational AppScanStandard Edition software functionality when performing amanual audit. Rational AppScan Standard Edition softwareadvanced session management capabilities can be used to establish and maintain login state, an easily accessible repositoryof scanned application data and powerful reporting abilities isreadily available. Pyscan platform can increase the efficiency ofthe manual portion of an audit without eliminating the irreplaceable expertise of the auditor. Auditors can re-use their existing python testing scripts in AppScan software andenjoy the symbiosis between home grown tools and RationalAppScan software.

Why IBM for application security and risk managementIBM delivers a comprehensive portfolio of application securityand risk management solutions. With advanced security testingand a platform managing application risk, the IBM RationalAppScan portfolio delivers both the security expertise and thecritical integrations with application life cycle management thathelp enterprises to not just identify vulnerabilities but alsoreduce overall application risk. The IBM Rational AppScansoftware portfolio includes advanced static (white box) anddynamic (black box) analysis as well as innovative technologiesthat keep up with the latest threats and drive precise actionable results.

The Rational AppScan software portfolio is complemented bySoftware as a Service delivery options and robust professionalservice offerings including application security assessments,deployment services, advanced application security training,product training and more.

7

IBM Software November 2011Application security

Rational AppScan Standard Edition software at a glance

Hardware requirements:

● Processor: Intel® Pentium® P4, 2.4 GHz

● Memory: 2 GB RAM

● Disk space: 30 GB

● Network: 1 NIC 100 Mbps for network communication with configured TCP/IP

Supported operating systems (both 32-bit and 64-bit editions)

● Windows XP: Professional, SP2 and SP3

● Windows 2003: Standard and Enterprise, SP1 and SP2

● Windows Vista: Business, Ultimate and Enterprise, SP1 and SP2

● Windows Server 2008: Standard and Enterprise, SP1 and SP22

Browsers:

● Microsoft Internet Explorer Version 6 or later

Prerequisites:

● Microsoft .NET Framework Version 2.0 or later (Version 3.0 or later is required for some optional, additional functionality)

● Optional: Adobe Flash Player for Internet Explorer, Version 9.0.124.0 or later is required for Flash execution, and for viewing instructional videos in

some of the advisories. Earlier versions are not supported, and some versions might require configuration. For details, see the documentation.

● Optional: Microsoft Word 2003 or 2007 for using Rational AppScan software smart tags to insert fields for custom report templates. If you use

Word 2003 the following update must also be installed: Update for Office 2003: KB907417

Defect tracking system support:

● IBM Rational ClearQuest

● HP Quality Center

Glass box supported systems:

Java EE containers: JBoss, Tomcat 6.0/7.0, WebLogic, WebSphere 7.0

Operating Systems:

Windows: XP, Windows 7 SP1, Win 2008 Server R2 SP1 (Q1, 2011), Win 2008 Server R2, (Aug 15, 2009)

Linux: Red Hat Enterprise Linux: RHEL 4 Update 9 (Oct 6, 2010), RHEL 5 Update 6 (Oct 20,2010), RHEL 6 (Oct-Dec 2010); Ubuntu server LTS 10.0.4,

SLES (SUSE Linux Enterprise Server): 11 SP1 (June 2010) SLES 11 (030509), SLES 10 SP4 (Q32011)

UNIX: AIX, 7.1 (Oct 2010), Solaris 10 (SPARC), Solaris 11 Express

Please Recycle

For more informationTo learn more about IBM Rational AppScan Standard Edition software, contact your IBM representative or IBM Business Partner, or visit:ibm.com/software/awdtools/appscan/standard

Additionally, financing solutions from IBM Global Financingcan enable effective cash management, protection from technology obsolescence, improved total cost of ownership andreturn on investment. Also, our Global Asset Recovery Serviceshelp address environmental concerns with new, more energy-efficient solutions. For more information on IBM GlobalFinancing, visit: ibm.com/financing

© Copyright IBM Corporation 2011

IBM CorporationSoftware GroupRoute 100Somers, NY 10589 U.S.A.

November 2011

IBM, the IBM logo, ibm.com, AppScan, ClearQuest, and Rational aretrademarks or registered trademarks of International Business MachinesCorporation in the United States, other countries, or both. If these andother IBM trademarked terms are marked on their first occurrence in thisinformation with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time thisinformation was published. Such trademarks may also be registered orcommon law trademarks in other countries.

A current list of IBM trademarks is available on the web at “Copyright andtrademark information” at ibm.com/legal/copytrade.shtml

Adobe is either a registered trademark or trademark of Adobe SystemsIncorporated in the United States, and/or other countries.

Intel, and Pentium are trademarks or registered trademarks of IntelCorporation or its subsidiaries in the United States and other countries.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Microsoft, Windows, Windows NT, and the Windows logo are trademarksof Microsoft Corporation in the United States, other countries, or both.

Other company, product, or service names may be trademarks or servicemarks of others.

1 IBM X-Force 2011 1H Trend and Risk Reporthttp://www14.software.ibm.com/webapp/iwm/web/signup.do?source=

swg-spsm-tiv-sec-wp&S_PKG=IBM-X-Force-2010-Trend-Risk-

Report or point to the high level report index

2 Rational AppScan software smart tags, which are used when creatingcustom reports, are not supported on Windows Vista or Windows Server 2008.

RAD14019-USEN-03