IBM AppScan Source - The SAST solution
Download as PPT, PDF4 likes5,717 views
IBM AppScan Source is a static application security testing (SAST) tool that scans source code to identify vulnerabilities like SQL injection and cross-site scripting. It has components for analysis, development, remediation, and automation. It can be deployed as a standard desktop tool, in a small workgroup, or in an enterprise environment integrated with other tools. AppScan Source features include importing apps, configuring scans, viewing results, and generating reports. It aims to help security analysts, developers, and organizations identify and fix issues to prevent data breaches and other security problems.
IBM AppScan Source - The SAST solution
- 1. IBM AppScan Source The SAST solution Thuc X.Vu <[email protected]> Reseacher, founder of IoT and Data processing Labs Vietsoftware International Inc. Website: http://labsofthings.com/
- 2. IBM AppScan Solution2 Vietsoftware International Inc. Agenda Understanding what AppScan Source is AppScan Source components Deployment models Features and Tooling Workflow DEMO
- 3. IBM AppScan Solution3 Vietsoftware International Inc. Understanding what AppScan Source is AppScan Source is a static application security testing (SAST) solution. Scans application source code for security vulnerabilities: SQL injection, command injection, cross-site scripting, buffer overflow These vulnerabilities are exploitable weaknesses in code that lead to: 1. Loss of reputation 2. Loss of money 3. A breach or an exposure of sensitive information 4. Business noncompliance AppScan Source enables organizations to proactively identify and mitigate security risk.
- 4. IBM AppScan Solution5 Vietsoftware International Inc. AppScan Source components Source for Analysis, Source for Development, Source for Remediation, Source for Automation 1. AppScan Source for Automation Allow Build Teams to execute Scans at Build time Command line tooling and build tools allow for ease of automation Assessment Publishing and Reporting directly from Automation
- 5. IBM AppScan Solution6 Vietsoftware International Inc. AppScan Source components (Cont.) 2. AppScan Source for Development Allow Developers to perform Security Scans Plugins supplied for IDE Remediate Vulnerabilities 3. AppScan Source for Analysis Allow Security Analysts to Configure Applications for SAST Scanning, Optimize Scan Configuration to Focus on Vulnerable Source Code Analyze, isolate, and take action on priority vulnerabilities. Provides security analysts, QA managers, and development managers with fast time-to-results.
- 6. IBM AppScan Solution7 Vietsoftware International Inc. AppScan Source components (Cont.) AppScan Source Database An out-of-the-box database that persists the AppScan Source Security Knowledgebase data, assessment data, and application/project inventory. AppScan Source command line interface (CLI) client Provides command line access to various AppScan Source functions to enable integration, automation, and scripting. Plugins for Make, Ant, and Maven allow the configuration process to be automated
- 7. IBM AppScan Solution8 Vietsoftware International Inc. AppScan Source Edition Products vs Roles
- 8. IBM AppScan Solution9 Vietsoftware International Inc. Agenda Understanding what AppScan Source is AppScan Source components Deployment models Features and Tooling Workflow DEMO
- 9. IBM AppScan Solution10 Vietsoftware International Inc. Standard desktop deployment
- 10. IBM AppScan Solution11 Vietsoftware International Inc. Standard desktop deployment (Cont.) Used in small organization, for a security analyst/auditor who performs security assessments No defect tracking system integration or build integration Using the AppScan Source administrative account, and no LDAP Directory Server integration
- 11. IBM AppScan Solution12 Vietsoftware International Inc. Small workgroup deployment
- 12. IBM AppScan Solution13 Vietsoftware International Inc. Small workgroup deployment (Cont.) Used in small to moderate organization Dedicated to different roles: Administrator, Manager, Security Analyst, Developer Build Automation server integration
- 13. IBM AppScan Solution14 Vietsoftware International Inc. Enterprise workgroup deployment
- 14. IBM AppScan Solution15 Vietsoftware International Inc. Enterprise workgroup deployment (Cont.) Integrate with Defect tracking system Authentication with LDAP integration
- 15. IBM AppScan Solution16 Vietsoftware International Inc. Agenda Understanding what AppScan Source is AppScan Source components Deployment models Features and Tooling Workflow DEMO
- 16. IBM AppScan Solution17 Vietsoftware International Inc. AppScan Source Features and Tooling Configuration perspective: - Import existing applications from IDEs - Configure AppScan Source applications and projects - Scan code - Create and manage applications, projects, and attributes Triage perspective: - View scan results to prioritize remediation workflow - Organize findings - Filter findings - Promote, demote, and dispatch findings for remediation Analysis perspective: - Drill down to individual findings - Track data flow visually though the source code (trace) - Access contextual remediation assistance - Generate Reports
- 17. IBM AppScan Solution18 Vietsoftware International Inc. Agenda Understanding what AppScan Source is AppScan Source components Deployment models Features and Tooling Workflow DEMO
- 18. IBM AppScan Solution19 Vietsoftware International Inc. Continuous Improvement Environment CONFIGURE TRIAGE ASSIGNREMEDIATE AppScan Source •For Analysis •For Development •For Automation AppScan Enterprise AppScan Source •For Remediation •For Development REPORT High-confidence findings >>>>> > > > > > >> > > > > > > AppScan Source •For Analysis AppScan Source •For Analysis SCAN
- 19. IBM AppScan Solution20 Vietsoftware International Inc. Security Analyst Workflow Security Professionals using AppScan Source for Security: Total time: 2-3 weeks / application • Applications are scanned once per year or less • Minimal carry-over for subsequent scans
- 20. IBM AppScan Solution21 Vietsoftware International Inc. Developer Workflow Any developer using AppScan Source for Development: Total Time: ½ - 1 day •Developers cannot develop while scanning (can take hours) •Developers are not security experts •Scan workflow interrupts agile workflows
- 21. IBM AppScan Solution22 Vietsoftware International Inc. Agenda Understanding what AppScan Source is AppScan Source components Deployment models Features and Tooling Workflow DEMO
- 22. IBM AppScan Solution23 Vietsoftware International Inc. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose Magic Quadrant for Application Security Testing Neil MacDonald, Joseph Feiman July 2, 2013 This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The link to the Gartner report is available upon request from IBM. “The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.” Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST)
- 23. IBM AppScan Solution24 Vietsoftware International Inc. Additional Information Documents EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Apps https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg- WW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W AppScan Source Data Sheet http://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF AppScan Standard Data Sheet: http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF AppScan Enterprise Data Sheet ftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF Posts 2013 Gartner Application Security Testing MQ and the Evolution of Software Security http://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/ Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST) http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/ Podcasts 2013 Gartner Magic Quadrant for Application Security Testing http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing Application + Threat + Security intelligence = Priceless http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless Taking Application Security from the Whiteboard to Reality http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality
- 24. IBM AppScan Solution25 Vietsoftware International Inc. Videos Overview of IBM Security AppScan http://www.youtube.com/watch?v=9R4IjZpKt8I How College Board is Building Security into Application Development http://www.youtube.com/watch?v=TtqhlcTnbg8 Building Better, More Secure Applications http://www.youtube.com/watch?v=UcN2uUolgKk Using Application Security Testing to Increase Deployment Speed http://www.youtube.com/watch?v=VImy3ilYUSk IBM Security AppScan 8.7 for iOS mobile application support http://www.youtube.com/watch?v=I73tbAmJIGw IBM Security AppScan 8.7 for iOS Applications http://www.youtube.com/watch?v=egnEH-GGQEI IBM Security AppScan: Analysis Perspective http://www.youtube.com/watch?v=UZD53ZgV848
- 25. IBM AppScan Solution26 Vietsoftware International Inc. Credits Implemented IBM Appscan for customers in Vietnam: Vietcombank; VietinBank; Vietnam Customs Some presentations on Enterprise Mobile Solution, IoT, Security, payment at http://www.slideshare.net/papaiking/
- 26. IBM AppScan Solution27 Vietsoftware International Inc. Smarter security for a smarter planet