IBM AppScan Enterprise - The total software security solution
Download as PPT, PDF2 likes3,312 views
The document provides an overview of IBM AppScan Enterprise, its key features, workflows, and benefits for application security. It discusses various web application vulnerabilities, the importance of security in the software development lifecycle, and how AppScan addresses these issues through centralized control and reporting capabilities. Additionally, it highlights IBM's recognition as a leader in application security testing by Gartner.
IBM AppScan Enterprise - The total software security solution
- 1. IBM AppScan Enterprise The total security solution Thuc X.Vu <[email protected]> Reseacher, founder of IoT and Data processing Labs Vietsoftware International Inc. Website: http://labsofthings.com/
- 2. IBM AppScan Solution2 Vietsoftware International Inc. Agenda Introduction to security What is IBM AppScan Enterprise? Key features Workflow DEMO
- 3. IBM AppScan Solution3 Vietsoftware International Inc. Introduction to security Desktop Transport Network Web Applications Antivirus Protection Encryption (SSL) Firewalls / IDS / IPS Firewall Web Servers Databases Backend Server Application Servers Info Security LandscapeInfo Security Landscape
- 4. IBM AppScan Solution4 Vietsoftware International Inc. Hackers Exploit Unintended Functionality to Attack Apps Intended Functionality Unintended Functionality Actual Functionality
- 5. IBM AppScan Solution5 Vietsoftware International Inc. 01/01/2006 union select userid,null,username+','+password,null from users-- Application responds with user names and passwords of other account holders!
- 6. IBM AppScan Solution6 Vietsoftware International Inc. Application Threat Negative Impact Example Impact Cross Site scripting Identity Theft, Sensitive Information Leakage, … Hackers can impersonate legitimate users, and control their accounts. Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system Hackers can access backend database information, alter it or steal it. Malicious File Execution Execute shell commands on server, up to full control Site modified to transfer all interactions to the hacker. Insecure Direct Object Reference Attacker can access sensitive files and resources Web application returns contents of sensitive file (instead of harmless one) Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user Blind requests to bank account transfer money to hacker Information Leakage and Improper Error Handling Attackers can gain detailed system information Malicious system reconnaissance may assist in developing further attacks Broken Authentication & Session Management Session tokens not guarded or invalidated properly Hacker can “force” session token on victim; session tokens can be stolen after logout Insecure Cryptographic Storage Weak encryption techniques may lead to broken encryption Confidential information (SSN, Credit Cards) can be decrypted by malicious users Insecure Communications Sensitive info sent unencrypted over insecure channel Unencrypted credentials “sniffed” and used by hacker to impersonate user Failure to Restrict URL Access Hacker can access unauthorized resources Hacker can forcefully browse and access a page past the login page The OWASP Top 10
- 7. IBM AppScan Solution7 Vietsoftware International Inc. 2013 Web Application Vulnerabilities Found Trend
- 8. IBM AppScan Solution8 Vietsoftware International Inc. Agenda Introduction to security What is IBM AppScan Enterprise? Key features Workflow DEMO
- 9. IBM AppScan Solution12 Vietsoftware International Inc. Centralized Control Scalablility Enterprise-wide Visibility Unique Remediation Workflow Full SDLC Support AppScan Enterprise Benefits
- 10. IBM AppScan Solution13 Vietsoftware International Inc. Agenda Introduction to security What is IBM AppScan Enterprise? Key features Workflow DEMO
- 11. IBM AppScan Solution14 Vietsoftware International Inc. Controlled, Web-based Report Distribution 3 Controlled, Web-based Application Testing 2 1 Enterprise Metrics and Visibility 4 Issue Management AppScan Enterprise – Key Features & Benefits Enable Development and QA to perform testing during SDLC Control what applications each user can test Easily distribute reports Control the access to information Increase visibility and better understand enterprise risks Focus on fixing issues, not just finding issues Issue Management4 Enterprise Metrics and Visibility3 Controlled, Web-based Report Distribution2 1 Controlled, Web-based Application Testing
- 12. IBM AppScan Solution15 Vietsoftware International Inc. Multiple Report Levels ƒ ƒ ƒ ƒ Dashboards Report Pack Summaries Detailed Reports About this… Report
- 13. IBM AppScan Solution16 Vietsoftware International Inc. Report Categories ƒ Inventory Reports Broken Links Hosts Pages etc. Security Reports Application Security Issues Infrastructure Security Issues Remediation Tasks Security Risk Assessment Compliance Reports Safe Harbour Sarbanes-Oxley Act (SOX) Visa CISP etc. ƒ ƒ
- 14. IBM AppScan Solution17 Vietsoftware International Inc. User Roles and Access Permissions ƒ Control access to information Security Manager Specify what AppScan Enterprise Compliance Officer Pen Tester ƒ Specify what types of Developer 10 ƒ Assign user roles applications a user scan tests a user can perform
- 15. IBM AppScan Solution18 Vietsoftware International Inc. Agenda Introduction to security What is IBM AppScan Enterprise? Key features Workflow DEMO
- 16. IBM AppScan Solution19 Vietsoftware International Inc. AppScan Enterprise: Workflow
- 17. IBM AppScan Solution20 Vietsoftware International Inc. AppScan Enterprise: Build Application
- 18. IBM AppScan Solution21 Vietsoftware International Inc. AppScan Enterprise: Build Application
- 19. IBM AppScan Solution22 Vietsoftware International Inc. Build Application: Edit application Profile Template
- 20. IBM AppScan Solution23 Vietsoftware International Inc. Build Application: import applications
- 21. IBM AppScan Solution24 Vietsoftware International Inc. AppScan Enterprise: Create Application Define: Application attributes, scans, users
- 22. IBM AppScan Solution25 Vietsoftware International Inc. AppScan Enterprise: Risk Rating Formula
- 23. IBM AppScan Solution26 Vietsoftware International Inc. AppScan Enterprise: Risk Rating Formula
- 24. IBM AppScan Solution27 Vietsoftware International Inc. AppScan Enterprise: Risk Rating Formula
- 25. IBM AppScan Solution28 Vietsoftware International Inc. AppScan Enterprise: Risk Rating Formula
- 26. IBM AppScan Solution29 Vietsoftware International Inc. AppScan Enterprise: Test Applications
- 27. IBM AppScan Solution30 Vietsoftware International Inc. AppScan Enterprise: Define issue profile
- 28. IBM AppScan Solution31 Vietsoftware International Inc. AppScan Enterprise: Define scanner profile
- 29. IBM AppScan Solution32 Vietsoftware International Inc. AppScan Enterprise: Import issues
- 30. IBM AppScan Solution33 Vietsoftware International Inc. AppScan Enterprise: Scan management
- 31. IBM AppScan Solution34 Vietsoftware International Inc. Mark application “Testing Status” as completed
- 32. IBM AppScan Solution35 Vietsoftware International Inc. AppScan Enterprise: Fix issues
- 33. IBM AppScan Solution36 Vietsoftware International Inc. AppScan Enterprise: Filter and send issues by URL
- 34. IBM AppScan Solution37 Vietsoftware International Inc. AppScan Enterprise: Monitor issues
- 35. IBM AppScan Solution38 Vietsoftware International Inc. AppScan Enterprise: Monitor all apps
- 36. IBM AppScan Solution39 Vietsoftware International Inc. AppScan Enterprise: Monitor each apps
- 37. IBM AppScan Solution40 Vietsoftware International Inc. AppScan Enterprise: Training
- 38. IBM AppScan Solution41 Vietsoftware International Inc. AppScan Enterprise: Training
- 39. IBM AppScan Solution42 Vietsoftware International Inc. Agenda Introduction to security What is IBM AppScan Enterprise? Key features Workflow DEMO
- 40. IBM AppScan Solution43 Vietsoftware International Inc. DEMO – Test Site And Project (Altoro Mutual) URL: http://demo.testfire.net Account: jsmith / demo1234
- 41. IBM AppScan Solution44 Vietsoftware International Inc. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose Magic Quadrant for Application Security Testing Neil MacDonald, Joseph Feiman July 2, 2013 This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The link to the Gartner report is available upon request from IBM. “The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.” Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST)
- 42. IBM AppScan Solution45 Vietsoftware International Inc. Additional Information Documents EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Apps https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg- WW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W AppScan Source Data Sheet http://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF AppScan Standard Data Sheet: http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF AppScan Enterprise Data Sheet ftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF Posts 2013 Gartner Application Security Testing MQ and the Evolution of Software Security http://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/ Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST) http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/ Podcasts 2013 Gartner Magic Quadrant for Application Security Testing http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing Application + Threat + Security intelligence = Priceless http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless Taking Application Security from the Whiteboard to Reality http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality
- 43. IBM AppScan Solution46 Vietsoftware International Inc. Videos Overview of IBM Security AppScan http://www.youtube.com/watch?v=9R4IjZpKt8I How College Board is Building Security into Application Development http://www.youtube.com/watch?v=TtqhlcTnbg8 Building Better, More Secure Applications http://www.youtube.com/watch?v=UcN2uUolgKk Using Application Security Testing to Increase Deployment Speed http://www.youtube.com/watch?v=VImy3ilYUSk IBM Security AppScan 8.7 for iOS mobile application support http://www.youtube.com/watch?v=I73tbAmJIGw IBM Security AppScan 8.7 for iOS Applications http://www.youtube.com/watch?v=egnEH-GGQEI IBM Security AppScan: Analysis Perspective http://www.youtube.com/watch?v=UZD53ZgV848
- 44. IBM AppScan Solution47 Vietsoftware International Inc. Credits Implemented IBM Appscan for customers in Vietnam: Vietcombank; VietinBank; Vietnam Customs Some presentations on Enterprise Mobile Solution, IoT, Security, payment at http://www.slideshare.net/papaiking/
- 45. IBM AppScan Solution48 Vietsoftware International Inc. Smarter security for a smarter planet
Editor's Notes
- #7: The OWASP Top 10 list, includes the following 10 common security issues, which we will cover in a moment.
- #8: The OWASP Top 10 list, includes the following 10 common security issues, which we will cover in a moment.
- #11: I didn’t add in the Analist to the list cause we really don’t have anything for them.