Appscan Introduction
Transcript of Appscan Introduction
-
8/11/2019 Appscan Introduction
1/17
IBM Software Group
2007 IBM Corporation
Introduction to AppScan Enterprise
-
8/11/2019 Appscan Introduction
2/17
2
Contents
The Application Security ProblemWhat is AppScan Enterprise?
Main Features
How does AppScan Enterprise work?
Key Concepts and Terminology
User Interface Tour
-
8/11/2019 Appscan Introduction
3/17
3
NetworkServer
WebApplications
The Web Application Security Reality
% of Attacks % of Dollars
75%
10%
25%
90%
Sources: Gartner, Watchfire
Security Spending
of All Attacks on Information Security
Are Directed to the Web Application Layer75%75%
of All Web Applications Are Vulnerable2/32/3
-
8/11/2019 Appscan Introduction
4/174
Web Application Security Challenges
Difficulty Managing 3rd Party VendorsDifficulty Managing 3rd Party Vendors555
Not Monitoring Deployed ApplicationsNot Monitoring Deployed Applications444
Catching Problems Late in the CycleCatching Problems Late in the Cycle333
Lack of Control and VisibilityLack of Control and Visibility222
Security Team Has Become a BottleneckSecurity Team Has Become a Bottleneck111
-
8/11/2019 Appscan Introduction
5/175
Web Application Security EvolutionWeb Application Security Evolution
StrategicStrategicStrategicStrategicStrategic Enterprise-Wide Scalable Solution
Solving The Problem Requires a Strategic Approach
TacticalTactical Manual Efforts, Desktop Audit Tools
2-3 Internal Security Experts
OutsourcedOutsourced Consultants
Pen Testing
UnawareUnaware
-
8/11/2019 Appscan Introduction
6/17
6
SCALESCALE
Reuse and RunMultiple Scans
Across
Applications
INFORMINFORM
Push Reports
to Developers,QA, andNon-Security Staff
MONITORMONITOR
Manage ProblemResolutionThrough
Trending ReportsAppScan EnterpriseAppScan EnterpriseAppScan Enterprise
What is AppScan Enterprise?
Security Team
Integrate Web Application Security in the SDLC
-
8/11/2019 Appscan Introduction
7/17
7
AppScan Enterprise Key Features & Benefits
Increase visibility and better understand enterprise risks
Controlled, Web-based Report DistributionControlled, Web-based Report Distribution
333
Controlled, Web-based Application TestingControlled, Web-based Application Testing
222
111
Enterprise Metrics and VisibilityEnterprise Metrics and Visibility
Easily distribute reports
Control the access to information
Enable Development and QA to perform testing during SDLC
Control what applications each user can test
444 Issue ManagementIssue Management
Focus on fixing issues, not just finding issues
-
8/11/2019 Appscan Introduction
8/17
8
Multiple Report Levels
Dashboards
Report Pack Summaries
Detailed ReportsAbout this Reports
-
8/11/2019 Appscan Introduction
9/17
9
Report Categories Inventory Reports
Broken Links
Hosts
Pages
etc. Security Reports
Application Security Issues
Infrastructure Security Issues
Remediation Tasks
Security Risk Assessment
Compliance Reports
Safe Harbour Sarbanes-Oxley Act (SOX)
Visa CISP
etc.
-
8/11/2019 Appscan Introduction
10/17
10
User Roles and Access Permissions
Security Manager
Pen Tester
Developer
Compliance
Officer
AppScan
Enterprise
Control access toinformation
Assign user roles Specify what
applications a user can
scan Specify what types of
tests a user can
perform
-
8/11/2019 Appscan Introduction
11/17
11
What does AppScan Enterprise test for?
Network
Operating System
Applications
Database
Web Server
Web Server Configuration
Third-party Components
Web Applications
AppScanEnterprise
H d A S E i k?
-
8/11/2019 Appscan Introduction
12/17
12
How does AppScan Enterprise work?
Traverses a web applicationApproaches an application as a black-box
Tests by sending modified HTTP requests
Thousands of tests for identifying hundreds of vulnerabilities
HTTP Request
HTTP Response WebServers
Appl ication
Databases
Web Application
A S E t i A hit t
-
8/11/2019 Appscan Introduction
13/17
13
AppScanEnterprise Architecture
Clients AppScan Enterprise Target Sites
T i l
-
8/11/2019 Appscan Introduction
14/17
14
Terminology
Content Scan Job
Infrastructure Scan Job
Import Job
Report Pack
Dashboard
Folder
J b R tP k R t &D hb d
-
8/11/2019 Appscan Introduction
15/17
15
Jobs, Report Packs, Reports & Dashboards
Job4Infrastructure
Scan
Job2Security
Data Import
Job1Security
Scan
Global
Scan DataJob3
SecurityScan
Reports
ReportPack 1
ReportPack 2
ReportPack 3
Dashboard 1
Dashboard 2
W b B d U I t f
-
8/11/2019 Appscan Introduction
16/17
16
Web-Based User Interface
Enter your user name and password
Navigate to AppScan Enterprise,e.g.
http://aseserver/appscan
Q ickScan s Ad anced Vie
-
8/11/2019 Appscan Introduction
17/17
17
Quick Scan vs. Advanced View
The UI mode is set in the users properties
Quick Scan View
Makes it easier to create a scan by abstracting
complexityLeverages scan templates created by the
administrator
Reduces the scan configuration time
Suitable for developers, QA specialists who create
ad-hoc scansAdvanced View
Exposes all scan options
Suitable for administrators and advanced users