IBM Rational AppScan portfolio supports collaborative security
IBM AppScan Standard - The Web Application Security Solution
-
Upload
vietsoftware-international-inc -
Category
Software
-
view
140 -
download
3
Transcript of IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard The Web Application Security SolutionThuc X.Vu <[email protected]>
Reseacher, founder of IoT and Data processing LabsVietsoftware International Inc.Website: http://labsofthings.com/
IBM AppScan Solution2 Vietsoftware International Inc.
Agenda
Web Application Security risks
What is IBM AppScan Standard?
Features
Scenarios
Workflow
Screen short and DEMO
IBM AppScan Solution3 Vietsoftware International Inc.
Application Threat Negative Impact Example Impact
Cross Site scripting Identity Theft, Sensitive Information Leakage, …
Hackers can impersonate legitimate users, and control their accounts.
Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system
Hackers can access backend database information, alter it or steal it.
Malicious File Execution Execute shell commands on server, up to full control
Site modified to transfer all interactions to the hacker.
Insecure Direct Object Reference
Attacker can access sensitive files and resources
Web application returns contents of sensitive file (instead of harmless one)
Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user
Blind requests to bank account transfer money to hacker
Information Leakage and Improper Error Handling
Attackers can gain detailed system information
Malicious system reconnaissance may assist in developing further attacks
Broken Authentication & Session Management
Session tokens not guarded or invalidated properly
Hacker can “force” session token on victim; session tokens can be stolen after logout
Insecure Cryptographic Storage
Weak encryption techniques may lead to broken encryption
Confidential information (SSN, Credit Cards) can be decrypted by malicious users
Insecure Communications Sensitive info sent unencrypted over insecure channel
Unencrypted credentials “sniffed” and used by hacker to impersonate user
Failure to Restrict URL Access
Hacker can access unauthorized resources
Hacker can forcefully browse and access a page past the login page
The OWASP Top 10 list 2013
IBM AppScan Solution4 Vietsoftware International Inc.
What is AppScan Standard?
Is a security vulnerability testing tool for web applications and web services Features the most advanced testing methods
IBM AppScan Solution5 Vietsoftware International Inc.
How does AppScan work?
Approaches an application as a black-box
Traverses a web application and builds the site model
Determines the attack vectors based on the selected Test policy
Tests by sending modified HTTP requests to the application and examining the HTTP response according to validate rules
HTTP Request
Web Application
HTTP Response
IBM AppScan Solution6 Vietsoftware International Inc.
Hybrid Technology Scan for AppScan StandardEmploys three distinct testing techniques:
Dynamic Analysis (“black-box scanning”)testing and evaluating application responses during run-time
Static Analysis (“white-box scanning”)analyzes JavaScript code in the context of the full web page
Interactive Analysis (“glass box scanning”)interact with a dedicated glass-box agent which resides on the web-server itself
IBM AppScan Solution7 Vietsoftware International Inc.
Main Features
Manual Explore
Full scan
Manager issue
Report
Integrations
IBM AppScan Solution8 Vietsoftware International Inc.
Architecture
Black-box Scanner Target web appTarget web appHTTP(S)HTTP(S)
HTTP(S)HTTP(S)Agent(s)
AgentAgentRulesRules
Control & Reporting
Glass box Component
Target ServerTarget Server
Glass boxGlass boxEngineEngine
IBM AppScan Solution9 Vietsoftware International Inc.
Workflow?
IBM AppScan Solution10 Vietsoftware International Inc.
User Interface Tour
Configure
IBM AppScan Solution11 Vietsoftware International Inc.
User Interface Tour
Manual Explore
Using browser Using external device
IBM AppScan Solution12 Vietsoftware International Inc.
User Interface Tour
Manage Issue
IBM AppScan Solution13 Vietsoftware International Inc.
User Interface Tour
ReportSecurityIndustry StandardRegulatory ComplianceDelta Analysis
IBM AppScan Solution14 Vietsoftware International Inc.
Intergration
AppScan Enterprise
Rational ClearQuest
HP Quality Center
IBM AppScan Solution15 Vietsoftware International Inc.
Intergration
Publish result to Enterprise
IBM AppScan Solution16 Vietsoftware International Inc.
Credits
Implemented IBM Appscan for customers in Vietnam:
Vietcombank; VietinBank; Vietnam Customs
Some presentations on Enterprise Mobile Solution, IoT,
Security, payment at
http://www.slideshare.net/papaiking/
IBM AppScan Solution17 Vietsoftware International Inc.
Smarter security for a smarter planet