ibm appscan source - the sast solution
TRANSCRIPT
IBM AppScan SourceThe SAST solutionVu Xuan Thuc <[email protected]>Mobile Enterprise divisionVietsoftware International
IBM AppScan Solution2 Vietsoftware International Inc.
Agenda
Understanding what AppScan Source is
AppScan Source components
Deployment models
Features and Tooling
Workflow
DEMO
IBM AppScan Solution3 Vietsoftware International Inc.
Understanding what AppScan Source is
AppScan Source is a static application security testing
(SAST) solution.
Scans application source code for security vulnerabilities:
SQL injection, command injection, cross-site scripting, buffer
overflow
These vulnerabilities are exploitable weaknesses in code
that lead to:1. Loss of reputation2. Loss of money3. A breach or an exposure of sensitive information4. Business noncompliance
AppScan Source enables organizations to proactively
identify and mitigate security risk.
IBM AppScan Solution5 Vietsoftware International Inc.
AppScan Source components
Source for Analysis, Source for Development, Source
for Remediation, Source for Automation
1. AppScan Source for Automation
Allow Build Teams to execute Scans at Build time
Command line tooling and build tools allow for ease of
automation
Assessment Publishing and Reporting directly from
Automation
IBM AppScan Solution6 Vietsoftware International Inc.
AppScan Source components (Cont.)
2. AppScan Source for Development
Allow Developers to perform Security Scans
Plugins supplied for IDE
Remediate Vulnerabilities
3. AppScan Source for Analysis
Allow Security Analysts to Configure Applications for
SAST Scanning, Optimize Scan Configuration to Focus on
Vulnerable Source Code
Analyze, isolate, and take action on priority vulnerabilities.
Provides security analysts, QA managers, and
development managers with fast time-to-results.
IBM AppScan Solution7 Vietsoftware International Inc.
AppScan Source components (Cont.)
AppScan Source Database An out-of-the-box database that persists the AppScan
Source Security Knowledgebase data, assessment
data, and application/project inventory.
AppScan Source command line interface
(CLI) client Provides command line access to various AppScan
Source functions to enable integration, automation, and
scripting.
Plugins for Make, Ant, and Maven allow the
configuration process to be
automated
IBM AppScan Solution8 Vietsoftware International Inc.
AppScan Source Edition Products vs Roles
IBM AppScan Solution9 Vietsoftware International Inc.
Agenda
Understanding what AppScan Source is
AppScan Source components
Deployment models
Features and Tooling
Workflow
DEMO
IBM AppScan Solution10 Vietsoftware International Inc.
Standard desktop deployment
IBM AppScan Solution11 Vietsoftware International Inc.
Standard desktop deployment (Cont.)
Used in small organization, for a security
analyst/auditor who performs security
assessments
No defect tracking system integration or build
integration
Using the AppScan Source administrative
account, and no LDAP Directory Server
integration
IBM AppScan Solution12 Vietsoftware International Inc.
Small workgroup deployment
IBM AppScan Solution13 Vietsoftware International Inc.
Small workgroup deployment (Cont.)
Used in small to moderate organization
Dedicated to different roles: Administrator,
Manager, Security Analyst, Developer
Build Automation server integration
IBM AppScan Solution14 Vietsoftware International Inc.
Enterprise workgroup deployment
IBM AppScan Solution15 Vietsoftware International Inc.
Enterprise workgroup deployment (Cont.)
Integrate with Defect tracking system
Authentication with LDAP integration
IBM AppScan Solution16 Vietsoftware International Inc.
Agenda
Understanding what AppScan Source is
AppScan Source components
Deployment models
Features and Tooling
Workflow
DEMO
IBM AppScan Solution17 Vietsoftware International Inc.
AppScan Source Features and Tooling
Configuration perspective:
- Import existing applications from IDEs
- Configure AppScan Source applications and projects
- Scan code
- Create and manage applications, projects, andattributes
Triage perspective:
- View scan results to prioritize remediation workflow
- Organize findings
- Filter findings
- Promote, demote, and dispatch findings forremediation
Analysis perspective:
- Drill down to individual findings
- Track data flow visually though the source code (trace)
- Access contextual remediation assistance
- Generate Reports
IBM AppScan Solution18 Vietsoftware International Inc.
Agenda
Understanding what AppScan Source is
AppScan Source components
Deployment models
Features and Tooling
Workflow
DEMO
IBM AppScan Solution19 Vietsoftware International Inc.
Continuous Improvement Environment
CONFIGURE
TRIAGE
ASSIGNREMEDIATE
AppScan Source
•For Analysis
•For Development
•For Automation
AppScan Enterprise
AppScan Source
•For Remediation
•For Development
REPORT
High-confidence findings
>>
> > > > >
AppScan Source
•For Analysis
AppScan Source
•For Analysis
SCAN
IBM AppScan Solution20 Vietsoftware International Inc.
Receive a source code archive
Extract code and import into
AppScan Source
Scan, resolve compilation issues
(often many)
Triage scan results
Export or write report
Deliver Report
Begin again with a new application
Security Analyst Workflow
Security Professionals using AppScan Source for Security:
Total time: 2-3 weeks / application
• Applications are scanned once per year or less
• Minimal carry-over for subsequent scans
IBM AppScan Solution21 Vietsoftware International Inc.
Click scan
Wait for scan to complete
Triage scan results
Resolve vulnerabilities
Check code into central
repository
Developer Workflow
Any developer using AppScan Source for Development:
Total Time: ½ - 1 day
• Developers cannot develop while scanning (can take hours)
• Developers are not security experts
• Scan workflow interrupts agile workflows
IBM AppScan Solution22 Vietsoftware International Inc.
Agenda
Understanding what AppScan Source is
AppScan Source components
Deployment models
Features and Tooling
Workflow
DEMO
IBM AppScan Solution23 Vietsoftware International Inc.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the
opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for
a particular purpose
Magic Quadrant for Application
Security Testing
Neil MacDonald, Joseph Feiman
July 2, 2013
This Magic Quadrant graphic was published by Gartner, Inc. as
part of a larger research note and should be evaluated in the
context of the entire report. The link to the Gartner report is
available upon request from IBM.
“The market for application security
testing is changing rapidly. Technology
trends, such as mobile applications,
advanced Web applications and
dynamic languages, are forcing the need
to combine dynamic and static testing
capabilities, which is reshaping the
overall market.”
Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST)
IBM AppScan Solution24 Vietsoftware International Inc.
Additional Information Documents
EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Apps
https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W
AppScan Source Data Sheet
http://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF
AppScan Standard Data Sheet:
http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF
AppScan Enterprise Data Sheet
ftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF
Posts
2013 Gartner Application Security Testing MQ and the Evolution of Software Security
http://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/
Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST)
http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/
Podcasts
2013 Gartner Magic Quadrant for Application Security Testing
http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing
Application + Threat + Security intelligence = Priceless
http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless
Taking Application Security from the Whiteboard to Reality
http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality
IBM AppScan Solution25 Vietsoftware International Inc.
Videos
Overview of IBM Security AppScanhttp://www.youtube.com/watch?v=9R4IjZpKt8I
How College Board is Building Security into Application Developmenthttp://www.youtube.com/watch?v=TtqhlcTnbg8
Building Better, More Secure Applicationshttp://www.youtube.com/watch?v=UcN2uUolgKk
Using Application Security Testing to Increase Deployment Speedhttp://www.youtube.com/watch?v=VImy3ilYUSk
IBM Security AppScan 8.7 for iOS mobile application supporthttp://www.youtube.com/watch?v=I73tbAmJIGw
IBM Security AppScan 8.7 for iOS Applicationshttp://www.youtube.com/watch?v=egnEH-GGQEI
IBM Security AppScan: Analysis Perspectivehttp://www.youtube.com/watch?v=UZD53ZgV848
IBM AppScan Solution26 Vietsoftware International Inc.
Smarter security for a smarter planet