ibm appscan source - the sast solution

25
IBM AppScan Source The SAST solution Vu Xuan Thuc <[email protected]> Mobile Enterprise division Vietsoftware International

Upload: vietsoftware-international-inc

Post on 23-Jul-2015

165 views

Category:

Software


3 download

TRANSCRIPT

Page 1: IBM AppScan Source - The SAST solution

IBM AppScan SourceThe SAST solutionVu Xuan Thuc <[email protected]>Mobile Enterprise divisionVietsoftware International

Page 2: IBM AppScan Source - The SAST solution

IBM AppScan Solution2 Vietsoftware International Inc.

Agenda

Understanding what AppScan Source is

AppScan Source components

Deployment models

Features and Tooling

Workflow

DEMO

Page 3: IBM AppScan Source - The SAST solution

IBM AppScan Solution3 Vietsoftware International Inc.

Understanding what AppScan Source is

AppScan Source is a static application security testing

(SAST) solution.

Scans application source code for security vulnerabilities:

SQL injection, command injection, cross-site scripting, buffer

overflow

These vulnerabilities are exploitable weaknesses in code

that lead to:1. Loss of reputation2. Loss of money3. A breach or an exposure of sensitive information4. Business noncompliance

AppScan Source enables organizations to proactively

identify and mitigate security risk.

Page 4: IBM AppScan Source - The SAST solution

IBM AppScan Solution5 Vietsoftware International Inc.

AppScan Source components

Source for Analysis, Source for Development, Source

for Remediation, Source for Automation

1. AppScan Source for Automation

Allow Build Teams to execute Scans at Build time

Command line tooling and build tools allow for ease of

automation

Assessment Publishing and Reporting directly from

Automation

Page 5: IBM AppScan Source - The SAST solution

IBM AppScan Solution6 Vietsoftware International Inc.

AppScan Source components (Cont.)

2. AppScan Source for Development

Allow Developers to perform Security Scans

Plugins supplied for IDE

Remediate Vulnerabilities

3. AppScan Source for Analysis

Allow Security Analysts to Configure Applications for

SAST Scanning, Optimize Scan Configuration to Focus on

Vulnerable Source Code

Analyze, isolate, and take action on priority vulnerabilities.

Provides security analysts, QA managers, and

development managers with fast time-to-results.

Page 6: IBM AppScan Source - The SAST solution

IBM AppScan Solution7 Vietsoftware International Inc.

AppScan Source components (Cont.)

AppScan Source Database An out-of-the-box database that persists the AppScan

Source Security Knowledgebase data, assessment

data, and application/project inventory.

AppScan Source command line interface

(CLI) client Provides command line access to various AppScan

Source functions to enable integration, automation, and

scripting.

Plugins for Make, Ant, and Maven allow the

configuration process to be

automated

Page 7: IBM AppScan Source - The SAST solution

IBM AppScan Solution8 Vietsoftware International Inc.

AppScan Source Edition Products vs Roles

Page 8: IBM AppScan Source - The SAST solution

IBM AppScan Solution9 Vietsoftware International Inc.

Agenda

Understanding what AppScan Source is

AppScan Source components

Deployment models

Features and Tooling

Workflow

DEMO

Page 9: IBM AppScan Source - The SAST solution

IBM AppScan Solution10 Vietsoftware International Inc.

Standard desktop deployment

Page 10: IBM AppScan Source - The SAST solution

IBM AppScan Solution11 Vietsoftware International Inc.

Standard desktop deployment (Cont.)

Used in small organization, for a security

analyst/auditor who performs security

assessments

No defect tracking system integration or build

integration

Using the AppScan Source administrative

account, and no LDAP Directory Server

integration

Page 11: IBM AppScan Source - The SAST solution

IBM AppScan Solution12 Vietsoftware International Inc.

Small workgroup deployment

Page 12: IBM AppScan Source - The SAST solution

IBM AppScan Solution13 Vietsoftware International Inc.

Small workgroup deployment (Cont.)

Used in small to moderate organization

Dedicated to different roles: Administrator,

Manager, Security Analyst, Developer

Build Automation server integration

Page 13: IBM AppScan Source - The SAST solution

IBM AppScan Solution14 Vietsoftware International Inc.

Enterprise workgroup deployment

Page 14: IBM AppScan Source - The SAST solution

IBM AppScan Solution15 Vietsoftware International Inc.

Enterprise workgroup deployment (Cont.)

Integrate with Defect tracking system

Authentication with LDAP integration

Page 15: IBM AppScan Source - The SAST solution

IBM AppScan Solution16 Vietsoftware International Inc.

Agenda

Understanding what AppScan Source is

AppScan Source components

Deployment models

Features and Tooling

Workflow

DEMO

Page 16: IBM AppScan Source - The SAST solution

IBM AppScan Solution17 Vietsoftware International Inc.

AppScan Source Features and Tooling

Configuration perspective:

- Import existing applications from IDEs

- Configure AppScan Source applications and projects

- Scan code

- Create and manage applications, projects, andattributes

Triage perspective:

- View scan results to prioritize remediation workflow

- Organize findings

- Filter findings

- Promote, demote, and dispatch findings forremediation

Analysis perspective:

- Drill down to individual findings

- Track data flow visually though the source code (trace)

- Access contextual remediation assistance

- Generate Reports

Page 17: IBM AppScan Source - The SAST solution

IBM AppScan Solution18 Vietsoftware International Inc.

Agenda

Understanding what AppScan Source is

AppScan Source components

Deployment models

Features and Tooling

Workflow

DEMO

Page 18: IBM AppScan Source - The SAST solution

IBM AppScan Solution19 Vietsoftware International Inc.

Continuous Improvement Environment

CONFIGURE

TRIAGE

ASSIGNREMEDIATE

AppScan Source

•For Analysis

•For Development

•For Automation

AppScan Enterprise

AppScan Source

•For Remediation

•For Development

REPORT

High-confidence findings

>>

> > > > >

AppScan Source

•For Analysis

AppScan Source

•For Analysis

SCAN

Page 19: IBM AppScan Source - The SAST solution

IBM AppScan Solution20 Vietsoftware International Inc.

Receive a source code archive

Extract code and import into

AppScan Source

Scan, resolve compilation issues

(often many)

Triage scan results

Export or write report

Deliver Report

Begin again with a new application

Security Analyst Workflow

Security Professionals using AppScan Source for Security:

Total time: 2-3 weeks / application

• Applications are scanned once per year or less

• Minimal carry-over for subsequent scans

Page 20: IBM AppScan Source - The SAST solution

IBM AppScan Solution21 Vietsoftware International Inc.

Click scan

Wait for scan to complete

Triage scan results

Resolve vulnerabilities

Check code into central

repository

Developer Workflow

Any developer using AppScan Source for Development:

Total Time: ½ - 1 day

• Developers cannot develop while scanning (can take hours)

• Developers are not security experts

• Scan workflow interrupts agile workflows

Page 21: IBM AppScan Source - The SAST solution

IBM AppScan Solution22 Vietsoftware International Inc.

Agenda

Understanding what AppScan Source is

AppScan Source components

Deployment models

Features and Tooling

Workflow

DEMO

Page 22: IBM AppScan Source - The SAST solution

IBM AppScan Solution23 Vietsoftware International Inc.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the

opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for

a particular purpose

Magic Quadrant for Application

Security Testing

Neil MacDonald, Joseph Feiman

July 2, 2013

This Magic Quadrant graphic was published by Gartner, Inc. as

part of a larger research note and should be evaluated in the

context of the entire report. The link to the Gartner report is

available upon request from IBM.

“The market for application security

testing is changing rapidly. Technology

trends, such as mobile applications,

advanced Web applications and

dynamic languages, are forcing the need

to combine dynamic and static testing

capabilities, which is reshaping the

overall market.”

Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST)

Page 23: IBM AppScan Source - The SAST solution

IBM AppScan Solution24 Vietsoftware International Inc.

Additional Information Documents

EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Apps

https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W

AppScan Source Data Sheet

http://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF

AppScan Standard Data Sheet:

http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF

AppScan Enterprise Data Sheet

ftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF

Posts

2013 Gartner Application Security Testing MQ and the Evolution of Software Security

http://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/

Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST)

http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/

Podcasts

2013 Gartner Magic Quadrant for Application Security Testing

http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing

Application + Threat + Security intelligence = Priceless

http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless

Taking Application Security from the Whiteboard to Reality

http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality

Page 24: IBM AppScan Source - The SAST solution

IBM AppScan Solution25 Vietsoftware International Inc.

Videos

Overview of IBM Security AppScanhttp://www.youtube.com/watch?v=9R4IjZpKt8I

How College Board is Building Security into Application Developmenthttp://www.youtube.com/watch?v=TtqhlcTnbg8

Building Better, More Secure Applicationshttp://www.youtube.com/watch?v=UcN2uUolgKk

Using Application Security Testing to Increase Deployment Speedhttp://www.youtube.com/watch?v=VImy3ilYUSk

IBM Security AppScan 8.7 for iOS mobile application supporthttp://www.youtube.com/watch?v=I73tbAmJIGw

IBM Security AppScan 8.7 for iOS Applicationshttp://www.youtube.com/watch?v=egnEH-GGQEI

IBM Security AppScan: Analysis Perspectivehttp://www.youtube.com/watch?v=UZD53ZgV848

Page 25: IBM AppScan Source - The SAST solution

IBM AppScan Solution26 Vietsoftware International Inc.

Smarter security for a smarter planet