IBM AppScan SourceThe SAST solution
Business and Solutions ConsultingE-SPIN Group of CompaniesE-SPIN Sdn BhdE-SPIN International Pte LtdE-SPIN International Limited
IBM AppScan Solution2
Agenda
Understanding what AppScan Source is
AppScan Source components
Deployment models
Features and Tooling
Workflow
DEMO
IBM AppScan Solution3
Understanding what AppScan Source is
AppScan Source is a static application security testing
(SAST) solution.
Scans application source code for security vulnerabilities:
SQL injection, command injection, cross-site scripting, buffer
overflow
These vulnerabilities are exploitable weaknesses in code
that lead to:1. Loss of reputation2. Loss of money3. A breach or an exposure of sensitive information4. Business noncompliance
AppScan Source enables organizations to proactively
identify and mitigate security risk.
IBM AppScan Solution5
AppScan Source components
Source for Analysis, Source for Development, Source
for Remediation, Source for Automation
1. AppScan Source for Automation
Allow Build Teams to execute Scans at Build time
Command line tooling and build tools allow for ease of
automation
Assessment Publishing and Reporting directly from
Automation
IBM AppScan Solution6
AppScan Source components (Cont.)
2. AppScan Source for Development
Allow Developers to perform Security Scans
Plugins supplied for IDE
Remediate Vulnerabilities
3. AppScan Source for Analysis
Allow Security Analysts to Configure Applications for
SAST Scanning, Optimize Scan Configuration to Focus on
Vulnerable Source Code
Analyze, isolate, and take action on priority vulnerabilities.
Provides security analysts, QA managers, and
development managers with fast time-to-results.
IBM AppScan Solution7
AppScan Source components (Cont.)
AppScan Source Database An out-of-the-box database that persists the AppScan
Source Security Knowledgebase data, assessment
data, and application/project inventory.
AppScan Source command line interface
(CLI) client Provides command line access to various AppScan
Source functions to enable integration, automation, and
scripting.
Plugins for Make, Ant, and Maven allow the
configuration process to be
automated
IBM AppScan Solution8
AppScan Source Edition Products vs Roles
IBM AppScan Solution9
Agenda
Understanding what AppScan Source is
AppScan Source components
Deployment models
Features and Tooling
Workflow
DEMO
IBM AppScan Solution10
Standard desktop deployment
IBM AppScan Solution11
Standard desktop deployment (Cont.)
Used in small organization, for a security
analyst/auditor who performs security
assessments
No defect tracking system integration or build
integration
Using the AppScan Source administrative
account, and no LDAP Directory Server
integration
IBM AppScan Solution12
Small workgroup deployment
IBM AppScan Solution13
Small workgroup deployment (Cont.)
Used in small to moderate organization
Dedicated to different roles: Administrator,
Manager, Security Analyst, Developer
Build Automation server integration
IBM AppScan Solution14
Enterprise workgroup deployment
IBM AppScan Solution15
Enterprise workgroup deployment (Cont.)
Integrate with Defect tracking system
Authentication with LDAP integration
IBM AppScan Solution16
Agenda
Understanding what AppScan Source is
AppScan Source components
Deployment models
Features and Tooling
Workflow
DEMO
IBM AppScan Solution17
AppScan Source Features and Tooling
Configuration perspective:
- Import existing applications from IDEs
- Configure AppScan Source applications and projects
- Scan code
- Create and manage applications, projects, andattributes
Triage perspective:
- View scan results to prioritize remediation workflow
- Organize findings
- Filter findings
- Promote, demote, and dispatch findings forremediation
Analysis perspective:
- Drill down to individual findings
- Track data flow visually though the source code (trace)
- Access contextual remediation assistance
- Generate Reports
IBM AppScan Solution18
Agenda
Understanding what AppScan Source is
AppScan Source components
Deployment models
Features and Tooling
Workflow
DEMO
IBM AppScan Solution19
Continuous Improvement Environment
CONFIGURE
TRIAGE
ASSIGNREMEDIATE
AppScan Source
•For Analysis
•For Development
•For Automation
AppScan Enterprise
AppScan Source
•For Remediation
•For Development
REPORT
High-confidence findings
>>
> > > > >
AppScan Source
•For Analysis
AppScan Source
•For Analysis
SCAN
IBM AppScan Solution20
Receive a source code archive
Extract code and import into
AppScan Source
Scan, resolve compilation issues
(often many)
Triage scan results
Export or write report
Deliver Report
Begin again with a new application
Security Analyst Workflow
Security Professionals using AppScan Source for Security:
Total time: 2-3 weeks / application
• Applications are scanned once per year or less
• Minimal carry-over for subsequent scans
IBM AppScan Solution21
Click scan
Wait for scan to complete
Triage scan results
Resolve vulnerabilities
Check code into central
repository
Developer Workflow
Any developer using AppScan Source for Development:
Total Time: ½ - 1 day
• Developers cannot develop while scanning (can take hours)
• Developers are not security experts
• Scan workflow interrupts agile workflows
IBM AppScan Solution22
Agenda
Understanding what AppScan Source is
AppScan Source components
Deployment models
Features and Tooling
Workflow
DEMO
IBM AppScan Solution23
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the
opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for
a particular purpose
Magic Quadrant for Application
Security Testing
Neil MacDonald, Joseph Feiman
July 2, 2013
This Magic Quadrant graphic was published by Gartner, Inc. as
part of a larger research note and should be evaluated in the
context of the entire report. The link to the Gartner report is
available upon request from IBM.
“The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.”
Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST)
IBM AppScan Solution24
Additional Information Documents
EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Apps
https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W
AppScan Source Data Sheet
http://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF
AppScan Standard Data Sheet:
http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF
AppScan Enterprise Data Sheet
ftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF
Posts
2013 Gartner Application Security Testing MQ and the Evolution of Software Security
http://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/
Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST)
http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/
Podcasts
2013 Gartner Magic Quadrant for Application Security Testing
http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing
Application + Threat + Security intelligence = Priceless
http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless
Taking Application Security from the Whiteboard to Reality
http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality
IBM AppScan Solution25
Videos
Overview of IBM Security AppScanhttp://www.youtube.com/watch?v=9R4IjZpKt8I
How College Board is Building Security into Application Developmenthttp://www.youtube.com/watch?v=TtqhlcTnbg8
Building Better, More Secure Applicationshttp://www.youtube.com/watch?v=UcN2uUolgKk
Using Application Security Testing to Increase Deployment Speedhttp://www.youtube.com/watch?v=VImy3ilYUSk
IBM Security AppScan 8.7 for iOS mobile application supporthttp://www.youtube.com/watch?v=I73tbAmJIGw
IBM Security AppScan 8.7 for iOS Applicationshttp://www.youtube.com/watch?v=egnEH-GGQEI
IBM Security AppScan: Analysis Perspectivehttp://www.youtube.com/watch?v=UZD53ZgV848
IBM AppScan Solution26
Smarter security for a smarter planet