IBM Rational AppScan Product Overview

Editor's Notes

• #2: Overview To be competitive in today’s fast-paced business environment requires increased visibility and automation of governance and compliance measures. As software has become the driving force behind innovation, customers are focusing on improving and automating quality and security earlier in the software delivery lifecycle. The addition of Rational Software Analyzer to Rational’s quality management capabilities provides a centralized, extensible foundation for static analysis driving increased quality and reduced risk. Centralized quality automation simplifies software delivery processes decreasing overhead and increasing software reliability An extensible foundation enables inclusion of rules such as security, compliance, and intellectual property vulnerabilities increasing team responsiveness to business priorities Powerful reporting features increase project visibility and support enforcement of corporate IT governance and compliance directives NEW! Rational Software Analyzer Available 4/29/08 Rational AppScan Developer Edition Beta Available 5/26/08
• #8: The National Institute of Standards and Technology (NIST) reports that “…80% of development costs [are spent] on identifying and correcting defects The ‘Cost of Defect’ figures from Caper Jones (Applied Software Measurement, 1996): At coding time - $25/defect At build time - $100/defect At QA - $450/defect At field level - $16,000/defect
• #9: Here’s how we’re raising the quality bar and delivering innovation and value to our customers with RQM: how we’re bringing new differentiators to this space not delivered before… (HP does not have ALM integration) (HP lags with requirements integration) Improved efficiency, utilization, and quality of test lab operations. (Unique market differentiator) Test Case Prioritization (Unique market differentiator) Real-time detection of defects and test case prioritization for resolution Remote launch and control of integrated point products (Unique market differentiator) (HP is closed - each vendor needs special arrangement to exchange data) Pattern analysis and recognition (unique market differentiator) ??
• #12: Klockwork coming from quality with limited security expertise Cenzic struggling & limited to blackkbox solution This leaves Fortify & HP/SPI Fortify is lacking the blackbox capability to compliment whitebox offerings for a complete & cost viable solution HP/SPI has a credible blackbox offering, but a deficient whitebox offering leaving a poor hybrid solution
• #14: Rational AppScan Developer Edition provides security and compliance checks alongside of Rational Software Analyzer Combines static analysis providing non-security professionals the ability to check for security defects in web applications Ability to execute multiple scan rules and tools from a common framework increases productivity Provides remediation advice to facilitate developer efforts to fix security issues efficiently Developer Essentials test policy provides high accuracy issue identification for security issues that developers can understand and fix efficiently Includes embedded security issue training Bit-sized training modules allow developers to quickly understand the security issue and make the appropriate fix Facilitates non-disruptive adoption of security testing solutions to improve application
• #15: If team is not collaborating what happens? If team is not leveraging automation, what is the impact? If team does not have appropriate level of governance, what happens?
• #17: Overview To be competitive in today’s fast-paced business environment requires increased visibility and automation of governance and compliance measures. As software has become the driving force behind innovation, customers are focusing on improving and automating quality and security earlier in the software delivery lifecycle. The addition of Rational Software Analyzer to Rational’s quality management capabilities provides a centralized, extensible foundation for static analysis driving increased quality and reduced risk. Centralized quality automation simplifies software delivery processes decreasing overhead and increasing software reliability An extensible foundation enables inclusion of rules such as security, compliance, and intellectual property vulnerabilities increasing team responsiveness to business priorities Powerful reporting features increase project visibility and support enforcement of corporate IT governance and compliance directives NEW! Rational Software Analyzer Available 4/29/08 Rational AppScan Developer Edition Beta Available 5/26/08
• #23: Designed for Developers, not Auditors Support partially built applications Manual Explore based scans on specific working flows Static Analysis supports applications once they compile Developers are not a gateway, and rather seek max efficiency Prioritize quick results and ease of use over 100% coverage or extreme breadth of testing Enable both centralized and broad security testing Centralized scans in a build system or by team security leads Broad testing by entire team - “Test before check in” model Best Application Security Analysis Includes Static, Dynamic & Runtime Analysis Side-by-side, gain the strengths of all techniques Uses Composite Analysis , merging the different ways CA overcomes the weaknesses of each technique, such as: Theoretical Static Analysis confirmed by Dynamic Analysis Dynamic Analysis Coverage measured with Runtime Analysis Extreme Emphasis on Accuracy & Actionable Results Innovative Static String Analysis dramatically improves accuracy Runtime Analysis maps Dynamic Analysis issues to code Correlated Dynamic & Static results practically guaranteed Self-Serve Security Testing for Developers Detailed results include all you need to know Comprehensive information about each security issue and its impact Clear prioritization account for security risk and exploitability Remediation view turns risk into tasks Look at the problems from a development tasks perspective Risk manifested in task priority Detailed Fix Recommendations clarify needed action Complete with platform-specific code examples Retest capabilities enable verifying the fix works Built in and accompanying training supports self-serve Issue-specific flash-based training built into product Product & Security Web-Based Training will be available at GA Naturally fits into the SDLC process Easily fit into the SDLC process - Minimize disruption Fits common dev testing points (build or before check-in) Uses dev concepts and terminology, not security ones Scale to large number of users Support centralized reporting & permissions through AppScan Enterprise or AppScan Reporting Console Support collaboration within the development team Share configuration, results and more Integrate with development tools IDE, Source Control, Build System, Defect Tracking system…
• #24: Comprehensive Security Analysis combining Dynamic, Static & Runtime Analysis, providing unmatched coverage of potential security issues for web applications Next-Generation Accuracy with new patent-pending String Analysis, Developer Essentials test policy and the correlation of Static & Dynamic Analysis results all reducing the likelihood of false positives Unparalleled Ease of Use with browsing based Dynamic Analysis and String Analysis enabling zero-configuration Static Analysis making efficient and accurate security testing possible for Developers Identification of line-of-code location for Black-Box Issues - the Runtime-Analysis based Execution Flow provides textual and graphical insight, greatly simplifying the understanding and remediation of those issues. Self-Serve Security Testing for Developers from built-in Flash-based training, accurate and prioritized results pointing straight to the line of code, and detailed remediation advice complete with code samples allow developers to be self-sufficient in their daily handling of web application security Seamless Integration into the Development Process: Specially designed for developer use case including deep integration with Rational Application Developer and Eclipse Team collaboration through Rational ClearQuest and source-control systems Complete the Rational AppScan End-to-End security solution enabling the security team to establish and control scanning permissions and policies and provide Security & QA teams with a way to pass reproducible security issues back to development for remediation and verification
• #25: Comprehensive Security Analysis combining Dynamic, Static & Runtime Analysis, providing unmatched coverage of potential security issues for web applications Next-Generation Accuracy with new patent-pending String Analysis, Developer Essentials test policy and the correlation of Static & Dynamic Analysis results all reducing the likelihood of false positives Unparalleled Ease of Use with browsing based Dynamic Analysis and String Analysis enabling zero-configuration Static Analysis making efficient and accurate security testing possible for Developers Identification of line-of-code location for Black-Box Issues - the Runtime-Analysis based Execution Flow provides textual and graphical insight, greatly simplifying the understanding and remediation of those issues. Self-Serve Security Testing for Developers from built-in Flash-based training, accurate and prioritized results pointing straight to the line of code, and detailed remediation advice complete with code samples allow developers to be self-sufficient in their daily handling of web application security Seamless Integration into the Development Process: Specially designed for developer use case including deep integration with Rational Application Developer and Eclipse Team collaboration through Rational ClearQuest and source-control systems Complete the Rational AppScan End-to-End security solution enabling the security team to establish and control scanning permissions and policies and provide Security & QA teams with a way to pass reproducible security issues back to development for remediation and verification
• #26: 1. Security 2. Code 3. build 4. QA This represents our product suite – how we help clients get to the utopia which is testing throughout the entire SDLC. Taking security which usually resides in info sec or risk mgt and push it earlier. This is how we address it – start at the far right. This is where ownership usually falls. Should be on their heads if an issue occurs, they have final sign off. Desktop is the entry for many customers, but not all. Once you go beyond just sec and want to put controls in place and monitoring, ASE. See the web client for ASE – sec uses enterprise, ASE becomes the aggregation of all that info – central mgt and control. But depending on who you are and what your role is, we have different solutions to introduce sec so it’s the least intrusive as possible. Moving into QA, specifically built some funct into ASE which gives them capability to launch scans but not necessarily have the security background or knowledge. Setting up the scan can be a difficult process but to change that we have Quickscan…In addition to that, we have a Tester edition (for Quality Manager, comes out when QM is released). Tester ed – inside QM and QC, similar to DE but for those products – config and launching a scan from within those products. Create a new security test directly within that environment. Results will be accessible from within those tools, never need to get out of them. scans from within QC scheduled, in the future those scans will be run from ASE – so if they own ASE, the scan will run from ASE . Advantage – don’t have to have a locally installed version. Code – to get developers involved to perform tests – a few ways we can do it. One is with the brand new product DE – black and white testing and built into the IDE, gives you the ability to do the testing early in the code development. Does two tests to do both types of testing. Patented tech by ibm being embedded, string analysis, for watching the flow of informatio thru the application as you are testing it. Good analogy – putting dye in your blood and watching it. Understand where the problem is in the code to isolate it. Historically tricky to do but we found a way to do so, hence the patent. The other ASE quickscan. QS environmnet also built for that too – there may be instances when you don’t have access to source code – either not supported yet or a third party – portal deployment for QS. Build – automates tests as part of the building process, so let’s say getting ready to publish a new test version of an app – have build scripts that take all the code and deploy it. Sometimes have to start and stop the web servers or change registry settings (that’s what buildforge does) as part of the automated process and say once you’ve deployed that code, we’ll look at it and point out all the security defects. Could use quickscan but with the build edition, it’s all automated. Doesn’t require manual intervention. Build edition we think is being released at the same time as DE. Whenver security issues are found, can be pushed into defect management system.
• #27: 1. Security 2. Code 3. build 4. QA This represents our product suite – how we help clients get to the utopia which is testing throughout the entire SDLC. Taking security which usually resides in info sec or risk mgt and push it earlier. This is how we address it – start at the far right. This is where ownership usually falls. Should be on their heads if an issue occurs, they have final sign off. Desktop is the entry for many customers, but not all. Once you go beyond just sec and want to put controls in place and monitoring, ASE. See the web client for ASE – sec uses enterprise, ASE becomes the aggregation of all that info – central mgt and control. But depending on who you are and what your role is, we have different solutions to introduce sec so it’s the least intrusive as possible. Moving into QA, specifically built some funct into ASE which gives them capability to launch scans but not necessarily have the security background or knowledge. Setting up the scan can be a difficult process but to change that we have Quickscan…In addition to that, we have a Tester edition (for Quality Manager, comes out when QM is released). Tester ed – inside QM and QC, similar to DE but for those products – config and launching a scan from within those products. Create a new security test directly within that environment. Results will be accessible from within those tools, never need to get out of them. scans from within QC scheduled, in the future those scans will be run from ASE – so if they own ASE, the scan will run from ASE . Advantage – don’t have to have a locally installed version. Code – to get developers involved to perform tests – a few ways we can do it. One is with the brand new product DE – black and white testing and built into the IDE, gives you the ability to do the testing early in the code development. Does two tests to do both types of testing. Patented tech by ibm being embedded, string analysis, for watching the flow of informatio thru the application as you are testing it. Good analogy – putting dye in your blood and watching it. Understand where the problem is in the code to isolate it. Historically tricky to do but we found a way to do so, hence the patent. The other ASE quickscan. QS environmnet also built for that too – there may be instances when you don’t have access to source code – either not supported yet or a third party – portal deployment for QS. Build – automates tests as part of the building process, so let’s say getting ready to publish a new test version of an app – have build scripts that take all the code and deploy it. Sometimes have to start and stop the web servers or change registry settings (that’s what buildforge does) as part of the automated process and say once you’ve deployed that code, we’ll look at it and point out all the security defects. Could use quickscan but with the build edition, it’s all automated. Doesn’t require manual intervention. Build edition we think is being released at the same time as DE. Whenver security issues are found, can be pushed into defect management system.
• #28: 1. Security 2. Code 3. build 4. QA This represents our product suite – how we help clients get to the utopia which is testing throughout the entire SDLC. Taking security which usually resides in info sec or risk mgt and push it earlier. This is how we address it – start at the far right. This is where ownership usually falls. Should be on their heads if an issue occurs, they have final sign off. Desktop is the entry for many customers, but not all. Once you go beyond just sec and want to put controls in place and monitoring, ASE. See the web client for ASE – sec uses enterprise, ASE becomes the aggregation of all that info – central mgt and control. But depending on who you are and what your role is, we have different solutions to introduce sec so it’s the least intrusive as possible. Moving into QA, specifically built some funct into ASE which gives them capability to launch scans but not necessarily have the security background or knowledge. Setting up the scan can be a difficult process but to change that we have Quickscan…In addition to that, we have a Tester edition (for Quality Manager, comes out when QM is released). Tester ed – inside QM and QC, similar to DE but for those products – config and launching a scan from within those products. Create a new security test directly within that environment. Results will be accessible from within those tools, never need to get out of them. scans from within QC scheduled, in the future those scans will be run from ASE – so if they own ASE, the scan will run from ASE . Advantage – don’t have to have a locally installed version. Code – to get developers involved to perform tests – a few ways we can do it. One is with the brand new product DE – black and white testing and built into the IDE, gives you the ability to do the testing early in the code development. Does two tests to do both types of testing. Patented tech by ibm being embedded, string analysis, for watching the flow of informatio thru the application as you are testing it. Good analogy – putting dye in your blood and watching it. Understand where the problem is in the code to isolate it. Historically tricky to do but we found a way to do so, hence the patent. The other ASE quickscan. QS environmnet also built for that too – there may be instances when you don’t have access to source code – either not supported yet or a third party – portal deployment for QS. Build – automates tests as part of the building process, so let’s say getting ready to publish a new test version of an app – have build scripts that take all the code and deploy it. Sometimes have to start and stop the web servers or change registry settings (that’s what buildforge does) as part of the automated process and say once you’ve deployed that code, we’ll look at it and point out all the security defects. Could use quickscan but with the build edition, it’s all automated. Doesn’t require manual intervention. Build edition we think is being released at the same time as DE. Whenver security issues are found, can be pushed into defect management system.
• #35: Detailed configuration that can be saved and reused