App Scan Fundamentals

Unit 1 AppScan Standard overview
AppScan Standard overview
© Copyright IBM Corporation 2015

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
This unit gives an overview of AppScan® Standard. You learn about what AppScan Standard is,
why you might want to use it, and where it fits in the software development life cycle.
References:
• Web Application Security Consortium: http://www.webappsec.org/
• Web services: https://en.wikipedia.org/wiki/Web_Services_Description_Language
© Copyright IBM Corp. 2015 1-1

V7.0
Uempty
Unit objectives
• Diagram the interactions between these applications
! AppScan Standard
! AppScan Enterprise
! AppScan Source
• Describe AppScan Standard and its uses
• Summarize how AppScan fits in the SDLC
AppScan Standard overview © Copyright IBM Corporation 2015
Unit objectives

V7.0
Lesson 1 What is AppScan?
Uempty
Lesson: What is AppScan?
This lesson serves as an introduction to AppScan Standard.
References:
• Web Application Security Consortium: http://www.webappsec.org/
• Web services: https://en.wikipedia.org/wiki/Web_Services_Description_Language

V7.0
Uempty
AppScan overview
• AppScan is a web application security testing tool
! Automates web application security testing
! Copies websites to build a site model
! Sends attacks over HTTP
! Analyzes responses for evidence of vulnerability
• Facilitates security checks during all phases of the software development life cycle
• Can be deployed by developers, QA, security teams, or auditors
• Supports governance, reporting, and dashboards
AppScan overview
AppScan is a tool that automates web application security testing. It works by building a site model
by following links on the site until it is fully explored. Using the data gathered, it creates a list of
attacks and sends them over HTTP. Finally, it analyzes the responses it receives to see if they are
vulnerable.
Because AppScan is automated, it facilitates security testing during all phases of the software
development life cycle. It can be used by developers, security teams, QA, or auditors to help
discover potential vulnerabilities in a web application.
The AppScan reporting engine can deliver its findings through a variety of reports, including
industry standard reports, government or industry compliance reports, or data export for use by
third-party systems.

V7.0
Uempty
Scanning analysis techniques

Two common automatic analysis techniques exist
• Dynamic analysis
• Commonly known as black-box testing
• Operates on the compiled, published application
• Sends HTTP-embedded attacks
• Reads responses for evidence of success
• Static analysis
• Commonly known as white-box testing
• Operates on source code
• Uses taint flow and pattern analysis to find vulnerabilities
Scanning analysis techniques
Security testing is commonly divided into two classes: black-box and white-box testing. Black-box
testing requires no access to the source code. Input containing attacks are sent to the application,
and the output is analyzed. If the output shows evidence of the attack succeeding, it is deemed
vulnerable.
White-box testing, on the other hand, analyzes source code to find vulnerabilities. It tracks data flow
through the application, and if data enters and exits the program without being sanitized, this type
of test deems that input vulnerable.

V7.0
Uempty
Advanced application security testing techniques
Dynamic analysis
- Analyze running web
Static analysis application
- Analyze source - Use during testing
code - Use HTTP tampering
- Use during
development
- Use taint analysis
and pattern
matching
Hybrid
d analysis
analy
- Correlate dynamic and static results
- Help remediate by identifying line of code
Advanced application security testing techniques
No single automated analysis technique can find all possible vulnerabilities. Each technique has its
own strengths and blind spots, which is why a single-point tool can leave you exposed. To find the
most vulnerabilities, you have to employ all the analysis techniques available today.
Static analysis examines the source code for potential vulnerabilities. Static analysis can be used
earlier in the development cycle because you do not need a running application. However, static
analysis can tend to produce a large volume of results, which can overwhelm development teams.
Also, developers might question whether an identified vulnerability is exploitable (that is, the issue
is mitigated somewhere else in the code, so it might not manifest itself as a true vulnerability).
Dynamic analysis tests a running application, by probing it the same way a hacker does. With
dynamic analysis results, it is easier to connect the vulnerability and a potential exploit. Dynamic
analysis relies on an ability to automatically traverse an application and test every possible input.
Because dynamic analysis requires a running application, it typically is not used until an application
is ready for functional testing later in the development cycle.
Hybrid analysis brings together dynamic and static analysis to correlate and verify the results.

V7.0
Uempty
Security AppScan product family

AppScan Enterprise Server
• Web user interface

User Enterprise
• Central repository administration Authentication reporting
• User management
• Configuration and operation
Jazz DAST
• Test policy management repository A
AppScan Results
Enterprise
E e
database
d tabase
AppScan Standard
Authentication SAST Desktop client

User management Results
DAST
AST
Results
esults
AppScan sourceAppScan Source
Automation IDE Security Dynamic

server plug-ins analyst analysis
scanners
Security AppScan product family
Security AppScan Enterprise Server

• Is a centralized platform for managing application security and risk for multiple applications
• Drives collaboration between security, development, and testing teams to remediate
vulnerabilities and reduce risk
• Provides an Enterprise-wide view of application security and compliance risk with more than 40
report templates for measuring compliance, trending, and key performance indicators
• Correlates and triages security testing results from dynamic (black-box) and static (white-box)
scans
Security AppScan Source

• Performs source code analysis to identify the latest security threats with static (white-box)
analysis
• Facilitates quick analysis and provides recommended corrections in the IDE
• Automates security testing in build environments
• Uses static analysis for quality and non-security defects to improve overall code quality and
predictability by identifying and resolving potential coding errors early in the software
development lifecycle

V7.0
Uempty
Security AppScan Standard
• Is a desktop application for security analysts and penetration testers
• Provides advanced security testing that is based primarily on dynamic (black-box) analysis, but
also includes static analysis for client-side JavaScript
• Offers glass-box testing with runtime analysis that applies an internal agent to monitor
application behavior during a dynamic test, providing more accurate test results and identifying
specific lines of code
• Offers coverage of the latest rich-Internet applications and web technologies (web services,
SOAP, Adobe Flash, Ajax, and more)

V7.0
Uempty
AppScan Standard workflow

Configure
• Scope and
limitations Explore
• Login sequence
• Form filler • Application Test
• Application crawling
definition • Structure mapping Report
• Pretest probing
• Custom parameters • Analysis • Automatic testingg
• Glass box agent • Manual explore • Issue validation • Results review
• Scan expert
• Manual test • Interactive report
• Remediation
report
• Printed report
• Export to defect
tracking systems
AppScan Standard overview ©C

Copyright
i IBM Corporation 2015
AppScan Standard workflow
The first step in using AppScan standard is to configure the scan. As every website is different,
configuring the scan to the website in question is a very important step. Once configured, AppScan
will explore the site using either a manual, user-driven exploration or an automatic spider. The
automatic spider builds a site model that AppScan uses to create a list of tests. These tests are
then sent over HTTP, and the responses are analyzed for evidence that they were successful.
Finally, AppScan can export the results in a variety of report formats in both human- and
machine-readable formats.

V7.0
Uempty
AppScan Standard features

• Automatic crawling and session management
• JavaScript and Ajax crawling
• Adobe Flash and Flex crawling
• Support for multiple-step workflows
• Glass-box assisted crawling
• Manual exploration for complex site crawling
• Session and communication monitoring
• Customizable crawler that supports content-based view of the application
• Customizable error pages for better vulnerability accuracy
• Data is easily shared as reports, machine readable data
AppScan Standard features
AppScan Standard has several features to ensure quality results. This course touches on each of
these features.

V7.0
Uempty
AppScan Standard and Web 2.0

JavaScript and Ajax Adobe Flash and Flex
Static links Static link extraction Static link extraction
Dynamic links JavaScript simulates user interaction Adobe Flash simulates user interaction (AS 2.0/3.0 Flash
and Flex)
Security testing JavaScript Security Analyzer is a hybrid analysis for Adobe Flash simulates user interaction (AS 2.0/3.0 Flash
detecting client-side issues; it supports HTML5 and Flex)
Ajax and JavaScript frameworks, such as Dojo and
ICEfaces
Support for analysis and testing of JSON messages
Framework JavaScript Security Analyzer is a hybrid analysis for Adobe Flash and Flex applications
support detecting client-side issues; it supports HTML5
ICEfaces
Special handling JavaScript Security Analyzer is a hybrid analysis for Support for analysis and testing of Adobe Action Message
detecting client-side issues; it supports HTML5 Format (AMF)
ICEfaces
AppScan Standard and Web 2.0
Rich Internet Applications (RIA), Web 2.0, and Ajax applications rely heavily on JavaScript and
Adobe Flash technologies. Adobe Action Message Format (AMF) is a binary protocol that is used
mostly in Adobe Flex applications.

V7.0
Uempty
AppScan Standard testing capabilities

• The AppScan test library covers all Web Application Security Consortium threat classes
• Mimics how a smart hacker would tamper with parameters
• Test database is constantly updated with new tests
• Can test for privilege escalation vulnerabilities
• Has specific tests for JavaScript and Flash
• Can test SOAP, WSDL, and other web service technologies
AppScan Standard testing capabilities
WASC is the Web Application Security Consortium: http://www.webappsec.org/.
WASC is an organization whose goal is to standardize discussions about web application security
and provide central resource for security experts.

V7.0
Uempty
Web services
• AppScan is able to scan web services
! Web services are machine-readable equivalent of websites
! Use HTTP protocol to exchange messages between clients and servers
• AppScan has built-in support for common web service languages
• Built-in GSC tool allows for exploration of web services
Web services
Web services information: https://en.wikipedia.org/wiki/Web_Services_Description_Language.

V7.0
Uempty
Reporting capabilities and integrations

• Reports
! Security
! Industry standards
! Regulatory compliance
! Delta analysis
• Export to XML
! Bugzilla
! Visual studio
! Custom software integration
Reporting capabilities and integrations

V7.0
Uempty
Extensibility
• Use .NET SDK for simple integrations
! Incorporate security testing into your environment
! Expose the Security AppScan Standard capabilities to developers
• Use Command Line Interface (CLI) for integrations with build and automation systems
! Integrate Security AppScan Standard into nongraphical environments
! Run scans, generate reports, and log defects
• Extend with Security AppScan Extensions
! Augment the product and adapt it to your own process
! Add capabilities from email alerts to complex integrations with tools
• Use PyScan as a penetration testing framework
! Use a platform for extending security testing
! Customize a scan for a specific audit
Extensibility

V7.0
Lesson 2 AppScan Standard user interface
Uempty
Lesson: AppScan Standard user

interface
In this lesson, you learn the basics about the AppScan Standard user interface.

V7.0
Uempty
User interface
Toolbar View selector
Application tree Results tree Detail pane
Status Bar
User interface

V7.0
Uempty
Application tree and Results tree

• Application tree shows the pages AppScan has found
• Shows a directory tree structure
• Tree can be expanded or shrunk using the + or - buttons
• Excluded pages and directories show a red X through them
• Results tree shows the vulnerabilities that AppScan found during the scan
• Groups by vulnerability type, then page, then parameter
• Adjusts displayed vulnerabilities by what is selected in the application tree
Only vulnerabilities in the selected item or below will be shown
Application tree and Results tree

V7.0
Uempty
Detail pane
Pane shows details about the selected vulnerability
• Issue information tab
! Summary of information that is available on other tabs
! Can show additional information added by the results expert
• Advisory
! Technical details on the selected issue with reference links
! Description of what to fix and reason for fixing it
• Fix Recommendation
! Tasks to make your web application secure
! Step-by-step instructions
• Request/Response
! Information about the tests and their specific variants
! Allows for deep investigation into the vulnerability
Detail pane

V7.0
Uempty
Toolbar, status bar, and view selector

• Toolbar
Buttons for the most common AppScan features
• Status bar
Shows information about current session
• View selector
Selects between three views
! Issues view shows the list of vulnerabilities
! Data view shows in-depth look at data found during scan
− Pages found
− Pages filtered
− Broken links
! Tasks view
Shows remediation tasks to correct the discovered vulnerabilities
Toolbar, status bar, and view selector

V7.0
Uempty
Reports
AppScan can create several types of reports
• Security report
! Configurable report showing security details
! Able to configure the amount of detail in the report
! Several report templates available
• Industry standard and regulatory compliance reports
Prepares reports that show whether any vulnerabilities could cause noncompliance with laws or regulations
• Delta analysis reports
Compares two scans and shows differences between them
• Template-based reports
Allows you to create report templates in Microsoft Word
Reports
The AppScan reporting engine allows you to create a wide variety of reports. AppScan allows you
to configure the level of detail and what content to include.

V7.0
Lesson 3 AppScan in the SDLC
Uempty
Lesson: AppScan in the SDLC
In this lesson, you learn about where AppScan fits inside the software development life cycle.

V7.0
Uempty
Security AppScan Standard in the SDLC

The typical mandates of the security and development teams result in a disconnect with security
vulnerabilities in production systems
Developers lack security insights Security team is an SDLC bottleneck
! Focus is on time and budget rather than security ! Thousands of applications
! Developers require additional skills in secure code ! In-production applications
practices ! Shadow applications
! Product innovation drives development of complex ! Under-production applications
applications ! Planned applications
! Small security staff
Most enterprises scan less than 10% of all applications
Coding Build QA Security Production
Challenge to share test results and enable self-testing in the SDLC

Security AppScan Standard in the SDLC
To combat the growing threat of web application breaches, it is important to address three key
areas of your business: your people, your processes, and your technology. It is imperative that the
people that develop and deploy your web applications, whether they are staff members or external
contractors, understand the fundamentals of secure design principles and security threats.
In the past, security was viewed as an IT problem, not a development problem. But security experts
realized that security starts at the code level. Therefore, it is important to provide your developers
with the training they need to stay on top of changing security threats and learn about existing and
emerging methods for mitigating them.

V7.0
Uempty
Security checking early and often

• AppScan allows for automatic security testing
• Developers, QA engineers, and others can perform security testing
• You can find and fix vulnerabilities early
• With AppScan, it costs less to fix vulnerabilities early in SDLC
Security checking early and often
As almost anyone who ever developed software can tell you, it is both easier and significantly
cheaper to get it right the first time. That approach is why integrating web application security
testing into the software development life cycle from the start is essential for establishing good risk
management.
While it is important to have a dedicated and knowledgeable security assessment team perform a
final review, it is equally important to integrate security into the early stages of application
development to focus on security issues as they appear. By approaching the issues proactively, you
save time and reduce your development costs.
It is also important to document and evaluate the results of these initiatives. Metrics to examine
include key components such as threats, vulnerabilities, remediation tasks, and criticality.
Documenting these measurements helps you establish baselines and further aid your security
efforts over time.
Without such an evaluation, it is impossible to determine whether adequate protection was

implemented to mitigate your potential security risks.
You can use a number of ways to implement proper security protocols in your web-based
applications. Although effective, manual penetration testing alone can be time consuming, labor
intensive, and costly.
Supplementing manual testing procedures with automated web application security tools helps you
gain a consistent, reliable, and scalable analysis of your web application security vulnerabilities
even across large, diverse IT environments. Such tools help drive down testing costs by automating
many manual tasks.

V7.0
Unit summary
Uempty
Unit summary
• Diagram the interactions between these applications
! AppScan Standard
! AppScan Source
• Describe AppScan Standard and its uses
• Summarize how AppScan fits in the SDLC
Unit summary


App Scan Fundamentals

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

App Scan Fundamentals

Hochgeladen von

Copyright:

Verfügbare Formate

Unit 1 AppScan Standard overview

AppScan Standard overview

© Copyright IBM Corporation 2015

© Copyright IBM Corp. 2015 1-1

AppScan Standard overview © Copyright IBM Corporation 2015

© Copyright IBM Corp. 2015 1-2

Lesson: What is AppScan?

AppScan Standard overview © Copyright IBM Corporation 2015

This lesson serves as an introduction to AppScan Standard.

© Copyright IBM Corp. 2015 1-3

AppScan Standard overview © Copyright IBM Corporation 2015

© Copyright IBM Corp. 2015 1-4

Scanning analysis techniques

AppScan Standard overview © Copyright IBM Corporation 2015

Scanning analysis techniques

© Copyright IBM Corp. 2015 1-5

Advanced application security testing techniques

AppScan Standard overview © Copyright IBM Corporation 2015

Advanced application security testing techniques

© Copyright IBM Corp. 2015 1-6

Security AppScan product family

• Web user interface

Authentication SAST Desktop client

AppScan sourceAppScan Source

Automation IDE Security Dynamic

AppScan Standard overview © Copyright IBM Corporation 2015

Security AppScan product family

Security AppScan Enterprise Server

Security AppScan Source

© Copyright IBM Corp. 2015 1-7

© Copyright IBM Corp. 2015 1-8

AppScan Standard workflow

AppScan Standard overview ©C

AppScan Standard workflow

© Copyright IBM Corp. 2015 1-9

AppScan Standard features

AppScan Standard overview © Copyright IBM Corporation 2015

AppScan Standard features

© Copyright IBM Corp. 2015 1-10

AppScan Standard and Web 2.0

Static links Static link extraction Static link extraction

AppScan Standard overview © Copyright IBM Corporation 2015

AppScan Standard and Web 2.0

© Copyright IBM Corp. 2015 1-11

AppScan Standard testing capabilities

AppScan Standard overview © Copyright IBM Corporation 2015

AppScan Standard testing capabilities

WASC is the Web Application Security Consortium: http://www.webappsec.org/.

© Copyright IBM Corp. 2015 1-12

AppScan Standard overview © Copyright IBM Corporation 2015

Web services information: https://en.wikipedia.org/wiki/Web_Services_Description_Language.

© Copyright IBM Corp. 2015 1-13

Reporting capabilities and integrations

AppScan Standard overview © Copyright IBM Corporation 2015

Reporting capabilities and integrations

© Copyright IBM Corp. 2015 1-14

AppScan Standard overview © Copyright IBM Corporation 2015

© Copyright IBM Corp. 2015 1-15

Lesson: AppScan Standard user

AppScan Standard overview © Copyright IBM Corporation 2015

© Copyright IBM Corp. 2015 1-16

Toolbar View selector

Application tree Results tree Detail pane