introduction to appscan enterprise

®

IBM Software Group

© 2007 IBM Corporation

Introduction to AppScan Enterprise

2

ContentsThe Application Security ProblemWhat is AppScan Enterprise?Main FeaturesHow does AppScan Enterprise work?Key Concepts and TerminologyUser Interface Tour

3

Network Server

WebApplications

The Web Application Security Reality

% of Attacks % of Dollars

75%

10%

25%

90%

Sources: Gartner, Watchfire

Security Spending

of All Attacks on Information SecurityAre Directed to the Web Application Layer

75%75%of All Web Applications Are Vulnerable2/32/3

4

Web Application Security Challenges

Difficulty Managing 3rd Party VendorsDifficulty Managing 3rd Party Vendors555

Not Monitoring Deployed ApplicationsNot Monitoring Deployed Applications444

Catching Problems Late in the CycleCatching Problems Late in the Cycle333

Lack of Control and VisibilityLack of Control and Visibility222

Security Team Has Become a BottleneckSecurity Team Has Become a Bottleneck111

5

Web Application Security EvolutionWeb Application Security Evolution

StrategicStrategicStrategicStrategicStrategicEnterprise-WideScalable Solution

Solving The Problem Requires a Strategic Approach

TacticalTactical Manual Efforts, Desktop Audit Tools2-3 Internal Security Experts

OutsourcedOutsourced ConsultantsPen Testing

UnawareUnaware

6

SCALESCALE

Reuse and Run Multiple Scans

Across Applications

INFORMINFORM

Push Reportsto Developers,

QA, andNon-Security Staff

MONITORMONITOR

Manage Problem Resolution Through

Trending ReportsAppScan EnterpriseAppScan EnterpriseAppScan Enterprise

What is AppScan Enterprise?

Security Team

Integrate Web Application Security in the SDLC

7

AppScan Enterprise – Key Features & Benefits

Increase visibility and better understand enterprise risks

Controlled, Web-based Report DistributionControlled, Web-based Report Distribution

333

Controlled, Web-based Application TestingControlled, Web-based Application Testing

222

111

Enterprise Metrics and VisibilityEnterprise Metrics and Visibility

Easily distribute reportsControl the access to information

Enable Development and QA to perform testing during SDLCControl what applications each user can test

444 Issue ManagementIssue Management

Focus on fixing issues, not just finding issues

8

Multiple Report Levels

DashboardsReport Pack SummariesDetailed ReportsAbout this… Reports

9

Report CategoriesInventory Reports

Broken LinksHostsPagesetc.

Security ReportsApplication Security Issues Infrastructure Security Issues Remediation Tasks Security Risk Assessment

Compliance ReportsSafe Harbour Sarbanes-Oxley Act (SOX) Visa CISPetc.

10

User Roles and Access Permissions

Security Manager

Pen Tester

Developer

Compliance Officer

AppScan Enterprise

Control access to informationAssign user rolesSpecify what applications a user can scanSpecify what types of tests a user can perform

11

What does AppScan Enterprise test for?

Network

Operating System

Applications

Database

Web Server

Web Server Configuration

Third-party Components

Web Applications

AppScanEnterprise

12

How does AppScan Enterprise work?

Traverses a web applicationApproaches an application as a black-boxTests by sending modified HTTP requestsThousands of tests for identifying hundreds of vulnerabilities

HTTP Request

HTTP Response WebServers

Application

Databases

Web Application

13

AppScan Enterprise Architecture

Clients AppScan Enterprise Target Sites

14

TerminologyContent Scan Job

Infrastructure Scan Job

Import Job

Report Pack

Dashboard

Folder

15

Jobs, Report Packs, Reports & Dashboards

Job4Infrastructure

Scan

Job2Security

Data Import

Job1Security

Scan

Global Scan Data

Job3Security

Scan

Reports

Report Pack 1

Report Pack 2

Report Pack 3

Dashboard 1

Dashboard 2

16

Web-Based User Interface

Enter your user name and password

Navigate to AppScan Enterprise, e.g.

http://aseserver/appscan

17

Quick Scan vs. Advanced ViewThe UI mode is set in the user’s propertiesQuick Scan View

Makes it easier to create a scan by abstracting complexityLeverages scan templates created by the administratorReduces the scan configuration timeSuitable for developers, QA specialists who create ad-hoc scans

Advanced ViewExposes all scan optionsSuitable for administrators and advanced users