IBM® Security Systems Division

Ready for IBM Security IntelligenceValidation requirements document for

IBM Security AppScan Family

Please visit the Ready for IBM Security Intelligence software validation site for assistance, enablement support, and current copy of this document:

http://www.ibm.com/partnerworld/rfisi

Validated solution integrations and extensions can be found in the Ready for IBM Security Intelligence Showcase

http://www.ibm.com/partnerworld/rfisisolutions

Send documents to pwisv@us.ibm.com, “Ready for IBM Security Intelligence” in subject line.

Document Version 3

Table of Contents

Introduction.................................................................3Items required to complete validation.........................4Validation contact information....................................5Solution to be validated...............................................6

Solution overview...................................................................................................................................6Integration requirements....................................................................................................7

Architecture and overview......................................................................................................................7Solution integration details.................................................................................................8Integration exceptions........................................................................................................9Resources.........................................................................................................................10

Validation Requirements Document Page 2 of 11 IBM Security AppScan Family

Introduction

Ready for IBM Security Intelligence program validates partner integrations with IBM Security software and represents the solution integrations in the IBM Security section of the Ready for IBM Security Intelligence Showcase. This includes partners working to complete Industry Frameworks, Solution Initiatives, and Specialties or other offerings with a dependency on validating integrations with IBM Security Software.

This document provides the steps and validation requirements for demonstrating integrations with the IBM Security AppScan family of products. A brief overview of the integration points are provided, along with the testing, documentation and demonstration results needed to verify and validate the solution integration.

Reference the following resources for assistance. For further assistance contact our IBM Security AppScan validation specialist Dan Schofield, dan.schofield@uk.ibm.com

Ready for IBM Security Intelligence ResourcesReady for IBM Security Intelligence - Home

http://www.ibm.com/partnerworld/rfisi

Getting Started with the Ready for IBM Security Intelligence program

https://www.ibm.com/partnerworld/wps/servlet/ContentHandler/isv_com_dvm_techval_security_start

Ready for IBM Security Intelligence integration points and resources

https://www.ibm.com/partnerworld/wps/servlet/ContentHandler/isv_com_dvm_techval_security_integration

Ready for IBM Security Intelligence DeveloperWorks Homepage

http://ibm.co/rfisi

Ready for IBM Security Intelligence Message Board

https://www.ibm.com/developerworks/mydeveloperworks/groups/service/forum/topics?communityUuid=85cce0f0-581e-4b9e-9da8-b57c4a257949&ps=10&page=0

IBM PartnerWorld Contact Servicesassistance getting started

US Number: 800-426-9990, 770-858-5052, e-mail: pwisv@us.ibm.com, ask for Ready for IBM Security Intelligence assistance.

Ready for IBM Security Intelligence Showcase

http://www.ibm.com/partnerworld/rfisisolutions

Program Manager Contact Russ Warren, russell.warren@us.ibm.comOther Resources

IBM Security Communitiesbest practices and scenarios

http://www.ibm.com/developerworks/security/community.html

IBM Service Management Connect https://www.ibm.com/developerworks/servicemanagement/srm/index.html

IBM Software Access Catalogdownload IBM Security software

http://www.ibm.com/isv/welcome/softmall.html

IBM PartnerWorld option supportassistance with listed products

Voice US Number: 800-426-9990, 770-858-5052, Remote e-mail:

Validation Requirements Document Page 3 of 11 IBM Security AppScan Family

https://www.ibm.com/isv/tech/member/index.html

Validation Requirements Document Page 4 of 11 IBM Security AppScan Family

Items required to complete validationTo validate your IBM Security AppScan family based integration and include the solution highlight in the Ready for IBM Security Intelligence Showcase, the following items must be submitted to the validation lab at pwisv@us.ibm.com. Please consult the Ready for IBM Security Intelligence software validation Web site for guidance and details concerning the validation process at https://www.ibm.com/partnerworld/wps/servlet/ContentHandler/isv_com_dvm_techval_security

Items required for validationFinal validation

requirements documentFinal version of this document representing the solution integration being validated Ready for IBM Security Intelligence. Need to document and identify the classes and interfaces used.

Test plan report Document containing use scenarios, data points, and information on the solution integration with IBM Security AppScan Will be used when reviewing test results and files, performing the validation, and during the solution integration demonstration.

Integration Setup Information

Solution setup or administration documentation, or a portion of a document providing information customers would use to setup or configure the integration between your solution and IBM Security AppScan Should include items in IBM Security AppScan that need to be customized to make the integration work.

Demonstration A remote demonstration or captured demo to walk through the integration scenarios with IBM Security AppScan.

Ready for IBM Security Intelligence Showcase

Integration highlights (solution overview, requirements, contacts) used for the Ready for IBM Security Intelligence Showcase entry (http://www.ibm.com/partnerworld/rfisisolutions). This should include a company logo that can be used (Recommended size 100 x 50).

Web page To include your solution integration reference in the Ready for IBM Security Intelligence Showcase (http://www.ibm.com/partnerworld/rfisisolutions), you need to provide a Web page link highlighting the solution integration. Also, encourage using the Ready for IBM Security Intelligence logo mark on your Web page, solution material, at conferences and on other marketing material.

Validation Requirements Document Page 5 of 11 IBM Security AppScan Family

Validation contact information Please complete ALL the fields below to provide the validation project contact information.

Submitted by:Title/Position:

Company:

Address:

Telephone:Fax:

E-mail:

IBM Security Product:

IBM Security AppScan Standard V8 IBM Security AppScan Standard V8

IBM Security AppScan Source V8 IBM Security AppScan Source V9

IBM Security AppScan Enterprise V8 IBM Security AppScan Enterprise V9

Your Solution Name and Version:

Global Solution DirectoryURL:

Current Date: 201X/mm/ddAnticipated Solution Start

Date: 201X/mm/dd

Anticipated Solution Completion Date: 201X/mm/dd

Validation Requirements Document Page 6 of 11 IBM Security AppScan Family

Solution to be validated

Solution overview Please fill in the auto-sizing text box below to provide the validation lab a technical overview of the application or solution, the integration points and solution to be validated.

To be filled in.

Validation Requirements Document Page 7 of 11 IBM Security AppScan Family

Integration requirements

This section provides an overview of the Ready for IBM Security Intelligence validation requirements for each of the products in the IBM Security AppScan familt. The next section “Integration Options for Validation” will allow you to identify the configuration and pertinent platforms used by your offering for validation.

Architecture and overviewThis following diagram shows the overall architecture of the IBM Security AppScan Family

IBM Security AppScan Standard Edition delivers the desktop solution for automating web application security testing. Used by penetration testers and security auditors, as well as QA and development. Output from AppScan Standard can be used as input into Partner system to provide further specialised analysis or defect tracking.

IBM Security AppScan Enterprise Edition is a web-based, multi-user solution that provides centralized application security scanning, data consolidation and reporting, remediation capabilities, executive dashboards, compliance reporting, and seamless integration with AppScan Standard Edition. Using the XML/SOAP REST API Business Partners can integrate with AppScan Enterprise to enable vulnerability information to be used in other security systems to mitigate the risks of attack until fixes can be made in the applications.

IBM Security AppScan Source Edition automates the analysis of source code to identify vulnerabilities and facilitate their remediation by integrating with development processes and tools, including build systems and IDEs.

Validation Requirements Document Page 8 of 11 IBM Security AppScan Family

Solution integration details

This section is used for you to describe the solution integration items and methods used with IBM Security AppScan. The requested information is required and will be used as a “benchmark” to proceed with the validation.

Check each integration type you will use to integrate your solution with IBM Security AppScan Specify each operating system platform the integration supports.

AppScan Product / Integration Point

AppScan Standard Extensions Framework Yes NoAppScan Standard CLI Yes NoAppScan Standard Pyscan/Utilities Yes NoAppScan Enterprise REST API Yes NoAppScan Source CLI Yes NoAppScan Source for Automation Yes NoOS platforms Windows 2003 Windows 2008

Solaris HP/UX AIX

Linux Other (Specify)

Use the following area to provide a functional overview of the integration with the proposed data flows for the above selected interfaces and integration points. Highlight any high level business rules that are applicable along with the communication/protocol format being used. Critical would be information where the transaction or data exchanged meets specific compliance issues and concerns. It may be beneficial to insert a data flow diagram (like a Visio or PowerPoint) showing the interchange of data and the specific criteria that the interchange needs to address to work with the external system. Sufficient information is needed to assess the flow of information through the interfaces.

Note: No need to duplicate information if some of this will be placed in the requested Integration Guide.

Validation Requirements Document Page 9 of 11 IBM Security AppScan Family

Integration exceptions

Use this section to note any exceptions to the Integration Requirements that should be considered for this integration. Also List any additional considerations or system impact not explicitly stated previously. May include, but not limited to: database changes, application functionality, or any task that affects the integration but is outside the scope of this estimate. Information will be review and discussed during validation.

Validation Requirements Document Page 10 of 11 IBM Security AppScan Family

Resources

Use the following information and resource links to assist with setting up and integrating with the IBM Security AppScan family of products

IBM Security AppScan Homepage http://www-01.ibm.com/software/awdtools/appscan/IBM Security AppScan Standard Documentation

http://pic.dhe.ibm.com/infocenter/apsshelp/v8r7m0/index.jsp

IBM Security AppScan Source Documentation

http://pic.dhe.ibm.com/infocenter/appsrc/v8r7m0/index.jsp

IBM Security AppScan Enterprise Documentation

http://pic.dhe.ibm.com/infocenter/asehelp/v8r7m0/index.jsp

Application Security Community of Practice

https://www.ibm.com/developerworks/mydeveloperworks/blogs/242fafe4-766c-4c93-bb7d-3d2a5ee1cbd6/?lang=en

Support Portal http://www-947.ibm.com/support/entry/portal/overview/software/security_systems/ibm_security_appscan_family

DeveloperWorks Security Community http://www.ibm.com/developerworks/security/community.html

Ready for IBM Security Enablement Resources

https://www.ibm.com/partnerworld/page/isv_com_dvm_techval_security

Validation Requirements Document Page 11 of 11 IBM Security AppScan Family