introduction to appscan enterprise
TRANSCRIPT
®
IBM Software Group
© 2007 IBM Corporation
Introduction to AppScan Enterprise
2
ContentsThe Application Security ProblemWhat is AppScan Enterprise?Main FeaturesHow does AppScan Enterprise work?Key Concepts and TerminologyUser Interface Tour
3
Network Server
WebApplications
The Web Application Security Reality
% of Attacks % of Dollars
75%
10%
25%
90%
Sources: Gartner, Watchfire
Security Spending
of All Attacks on Information SecurityAre Directed to the Web Application Layer
75%75%of All Web Applications Are Vulnerable2/32/3
4
Web Application Security Challenges
Difficulty Managing 3rd Party VendorsDifficulty Managing 3rd Party Vendors555
Not Monitoring Deployed ApplicationsNot Monitoring Deployed Applications444
Catching Problems Late in the CycleCatching Problems Late in the Cycle333
Lack of Control and VisibilityLack of Control and Visibility222
Security Team Has Become a BottleneckSecurity Team Has Become a Bottleneck111
5
Web Application Security EvolutionWeb Application Security Evolution
StrategicStrategicStrategicStrategicStrategicEnterprise-WideScalable Solution
Solving The Problem Requires a Strategic Approach
TacticalTactical Manual Efforts, Desktop Audit Tools2-3 Internal Security Experts
OutsourcedOutsourced ConsultantsPen Testing
UnawareUnaware
6
SCALESCALE
Reuse and Run Multiple Scans
Across Applications
INFORMINFORM
Push Reportsto Developers,
QA, andNon-Security Staff
MONITORMONITOR
Manage Problem Resolution Through
Trending ReportsAppScan EnterpriseAppScan EnterpriseAppScan Enterprise
What is AppScan Enterprise?
Security Team
Integrate Web Application Security in the SDLC
7
AppScan Enterprise – Key Features & Benefits
Increase visibility and better understand enterprise risks
Controlled, Web-based Report DistributionControlled, Web-based Report Distribution
333
Controlled, Web-based Application TestingControlled, Web-based Application Testing
222
111
Enterprise Metrics and VisibilityEnterprise Metrics and Visibility
Easily distribute reportsControl the access to information
Enable Development and QA to perform testing during SDLCControl what applications each user can test
444 Issue ManagementIssue Management
Focus on fixing issues, not just finding issues
8
Multiple Report Levels
DashboardsReport Pack SummariesDetailed ReportsAbout this… Reports
9
Report CategoriesInventory Reports
Broken LinksHostsPagesetc.
Security ReportsApplication Security Issues Infrastructure Security Issues Remediation Tasks Security Risk Assessment
Compliance ReportsSafe Harbour Sarbanes-Oxley Act (SOX) Visa CISPetc.
10
User Roles and Access Permissions
Security Manager
Pen Tester
Developer
Compliance Officer
AppScan Enterprise
Control access to informationAssign user rolesSpecify what applications a user can scanSpecify what types of tests a user can perform
11
What does AppScan Enterprise test for?
Network
Operating System
Applications
Database
Web Server
Web Server Configuration
Third-party Components
Web Applications
AppScanEnterprise
12
How does AppScan Enterprise work?
Traverses a web applicationApproaches an application as a black-boxTests by sending modified HTTP requestsThousands of tests for identifying hundreds of vulnerabilities
HTTP Request
HTTP Response WebServers
Application
Databases
Web Application
13
AppScan Enterprise Architecture
Clients AppScan Enterprise Target Sites
14
TerminologyContent Scan Job
Infrastructure Scan Job
Import Job
Report Pack
Dashboard
Folder
15
Jobs, Report Packs, Reports & Dashboards
Job4Infrastructure
Scan
Job2Security
Data Import
Job1Security
Scan
Global Scan Data
Job3Security
Scan
Reports
Report Pack 1
Report Pack 2
Report Pack 3
Dashboard 1
Dashboard 2
16
Web-Based User Interface
Enter your user name and password
Navigate to AppScan Enterprise, e.g.
http://aseserver/appscan
17
Quick Scan vs. Advanced ViewThe UI mode is set in the user’s propertiesQuick Scan View
Makes it easier to create a scan by abstracting complexityLeverages scan templates created by the administratorReduces the scan configuration timeSuitable for developers, QA specialists who create ad-hoc scans
Advanced ViewExposes all scan optionsSuitable for administrators and advanced users