IBM AppScanThe total security solutionThuc X.Vu <thuc@labsofthings.com>

Reseacher, founder of IoT and Data processing LabsVietsoftware International Inc.Website: http://labsofthings.com/

IBM AppScan Solution2 Vietsoftware International Inc.

Agenda

Introduction to security

Best Practices for Application Security

IBM AppScan security solution

DEMO

IBM AppScan Solution3 Vietsoftware International Inc.

Introduction to security

Desktop Transport Network Web Applications

AntivirusProtection

Encryption(SSL)

Firewalls /IDS / IPS

Firewall

Web ServersDatabases

BackendServer

ApplicationServers

Info Security LandscapeInfo Security Landscape

IBM AppScan Solution4 Vietsoftware International Inc.

Hackers Exploit Unintended Functionality to Attack Apps

Intended Functionality

Unintended Functionality

Actual Functionality

IBM AppScan Solution5 Vietsoftware International Inc.

01/01/2006 union select userid,null,username+','+password,null from users--

Application responds with user names and passwords of other account holders!

IBM AppScan Solution6 Vietsoftware International Inc.

Application Threat Negative Impact Example Impact

Cross Site scripting Identity Theft, Sensitive Information Leakage, …

Hackers can impersonate legitimate users, and control their accounts.

Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system

Hackers can access backend database information, alter it or steal it.

Malicious File Execution Execute shell commands on server, up to full control

Site modified to transfer all interactions to the hacker.

Insecure Direct Object Reference Attacker can access sensitive files and resources

Web application returns contents of sensitive file (instead of harmless one)

Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user

Blind requests to bank account transfer money to hacker

Information Leakage and Improper Error Handling

Attackers can gain detailed system information

Malicious system reconnaissance may assist in developing further attacks

Broken Authentication & Session Management

Session tokens not guarded or invalidated properly

Hacker can “force” session token on victim; session tokens can be stolen after logout

Insecure Cryptographic Storage Weak encryption techniques may lead to broken encryption

Confidential information (SSN, Credit Cards) can be decrypted by malicious users

Insecure Communications Sensitive info sent unencrypted over insecure channel

Unencrypted credentials “sniffed” and used by hacker to impersonate user

Failure to Restrict URL Access Hacker can access unauthorized resources Hacker can forcefully browse and access a page past the login page

The OWASP Top 10

IBM AppScan Solution7 Vietsoftware International Inc.

2013 Web Application Vulnerabilities Found Trend

IBM AppScan Solution8 Vietsoftware International Inc.

Agenda

Introduction to security

Best Practices for Application Security

IBM AppScan security solution

DEMO

IBM AppScan Solution9 Vietsoftware International Inc.

Building Security Into the Development Process

*Graphics from OWASP.com

• Test existing deployed apps• Eliminate security exposure in

live applications

Production

• Test apps before going to production• Deploy secure web applications

Deploy

• Test apps for security issues in QA organization along with performance and functional testing

• Reduce costs of security testing

Test

• Test apps for security issues in Development identifying issues at their earliest point

• Realize optimum security testing efficiencies (cost reduction)

Development• Security requirements, architecture, threat modeling, etc

Define/Design

IBM AppScan Solution10 Vietsoftware International Inc.

Security Testing Within the Software Lifecycle

Build

Developers

SDLCSDLC

Developers

Developers

Coding QA Security Production

Application Security Testing Maturity

IBM AppScan Solution11 Vietsoftware International Inc.

Agenda

Introduction to security

Best Practices for Application Security

IBM AppScan security solution

DEMO

IBM AppScan Solution12 Vietsoftware International Inc.

Types of analysis method

• Static analysis: Approach for verifying software (including finding defects) without executing software– Source code vulnerability scanning tools, code inspections,

etc.

• Dynamic analysis: Approach for verifying software (including finding defects) by executing software on specific inputs & checking results (“oracle”)– Functional testing, web application scanners, fuzz testing,

etc.

• Hybrid analysis: Combine above approaches

IBM AppScan Solution14 Vietsoftware International Inc.

Application Security Testing

• Training – Applications Security & Product ( Instructor led , self paced – classroom & web based)• Test policies, test templates and access control• Dashboards, detailed reports & trending• Manage regulatory requirements such as DIACAP, PCI, GLBA and HIPAA (40+ out-of-the-box compliance reports)

Scanning Techniques

Applications

Governance & Collaboration

Web Applications Web Services

• Web 2.0\HTML5• AJAX• Java Script• Adobe Flash & Flex

Mobile Application

s• iPhone ObjectiveC• Android Java

Programming Languages• C#• ASP.NET• VB.NET• Classic ASP• ColdFusion• VB6, VBScript

• HTML• PHP• Perl• PL/SQL, T-SQL• Client-side JavaScript• Server-side JavaScript

Build Systems improve scan efficiencies

Integrated

Audience Development teams Security teams Penetration Testers

CODING BUILD QA SECURITY PRODUCTION

Static analysis)white box(

SDLC

• Java/Android • JSP• C, C++• COBOL• SAP ABAP

(Rational Build Forge, Rational Team Concert, Hudson, Maven)

Defect Tracking Systems

track remediation

(Rational Team Concert, Rational ClearQuest,

HP QC, MS Team Foundation Server)

IDEs remediation assistance

(RAD, Rational Team Concert,

Eclipse, Visual Studio

Security Intelligence raise threat level

(SiteProtector, QRadar, Guardium)

Source code vulnerabilities & code quality risksData & Call Flow analysis tracks tainted data

Dynamic analysis)black box(

Live Web ApplicationWeb crawling & Manual testing

Hybrid Glass Box analysis

PurchasedApplications

IBM AppScan Solution15 Vietsoftware International Inc.

IBM AppScan security solution

1. IBM AppScan Source2. IBM AppScan Standard3. IBM AppScan Enterprise

All work within the Software Lifecycle

IBM AppScan Solution16 Vietsoftware International Inc.

AppScan Source for SAST

AppScan Source is a static application security testing (SAST) solution.- Scans application source code for security vulnerabilities

• SQL injection, command injection, cross-site scripting, buffer overflow- These vulnerabilities are exploitable weaknesses in code that lead to:

• Loss of reputation• Loss of money• A breach or an exposure of sensitive information• Business noncompliance

AppScan Source enables organizations to proactively identify and mitigate security risk.

There are four distinct AppScan Source components:- AppScan Source for Remediation- AppScan Source for Development- AppScan Source for Automation- AppScan Source for Analysis

IBM AppScan Solution17 Vietsoftware International Inc.

AppScan Source SAST LifecycleCONFIGURE

AppScan Source•For Remediation•For Development

AppScan Source•For Analysis

•For Development•For Automation

SCAN

REMEDIATE

AppScan Source•For Analysis

TRIAGE

High-confidence findings

ASSIGN

AppScan Enterprise

REPORT

>>>>>

AppScan Source•For Analysis

IBM AppScan Solution18 Vietsoftware International Inc.

Is a security vulnerability testing tool for web applications and web services Features the most advanced testing methods

What is AppScan Standard?

IBM AppScan Solution19 Vietsoftware International Inc.

Scan Technologies for AppScan standardEmploys three distinct testing techniques:

Dynamic Analysis (“black-box scanning”)testing and evaluating application responses during run-time

Static Analysis (“white-box scanning”)analyzes JavaScript code in the context of the full web page

Interactive Analysis (“glass box scanning”)interact with a dedicated glass-box agent which resides on the web-server itself

IBM AppScan Solution20 Vietsoftware International Inc.

Workflow for AppScan Standard

IBM AppScan Solution21 Vietsoftware International Inc.

AppScan Enterprise

Security Team

Integrate Web Application Security in the SDLC

AppScan Enterprise

Manage Problem Resolution Through

T re n d i n g Re po r t s

Reuse and Run Mult iple Scans

Across Applications

MONITORSCALEPush Reports to Developers, QA,

andN on - S ec u r i t y S t a f f

INFORM

What is AppScan Enterprise?

IBM AppScan Solution23 Vietsoftware International Inc.

DEMO – Test Site And Project (Altoro Mutual)

URL: http://demo.testfire.net Account: jsmith / demo1234

IBM AppScan Solution24 Vietsoftware International Inc.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the

opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness

for a particular purpose

Magic Quadrant for Application Security TestingNeil MacDonald, Joseph Feiman July 2, 2013

This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the

context of the entire report. The link to the Gartner report is available upon request from IBM.

“The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.”

Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST)

IBM AppScan Solution25 Vietsoftware International Inc.

Additional Information Documents

EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Appshttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-

WW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W

AppScan Source Data Sheethttp://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF

AppScan Standard Data Sheet: http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF

AppScan Enterprise Data Sheetftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF

Posts

2013 Gartner Application Security Testing MQ and the Evolution of Software Securityhttp://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/

Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST)http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/

Podcasts

2013 Gartner Magic Quadrant for Application Security Testing http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing

Application + Threat + Security intelligence = Priceless http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless

Taking Application Security from the Whiteboard to Reality http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality

IBM AppScan Solution26 Vietsoftware International Inc.

VideosOverview of IBM Security AppScanhttp://www.youtube.com/watch?v=9R4IjZpKt8I

How College Board is Building Security into Application Developmenthttp://www.youtube.com/watch?v=TtqhlcTnbg8

Building Better, More Secure Applicationshttp://www.youtube.com/watch?v=UcN2uUolgKk

Using Application Security Testing to Increase Deployment Speedhttp://www.youtube.com/watch?v=VImy3ilYUSk

IBM Security AppScan 8.7 for iOS mobile application supporthttp://www.youtube.com/watch?v=I73tbAmJIGw

IBM Security AppScan 8.7 for iOS Applicationshttp://www.youtube.com/watch?v=egnEH-GGQEI

IBM Security AppScan: Analysis Perspectivehttp://www.youtube.com/watch?v=UZD53ZgV848

IBM AppScan Solution27 Vietsoftware International Inc.

Credits

Implemented IBM Appscan for customers in Vietnam:

Vietcombank; VietinBank; Vietnam Customs

Some presentations on Enterprise Mobile Solution,

Security, ECommerce at

http://www.slideshare.net/papaiking/

IBM AppScan Solution28 Vietsoftware International Inc.

Smarter security for a smarter planet