Beruflich Dokumente
Kultur Dokumente
This unit gives an overview of AppScan® Standard. You learn about what AppScan Standard is,
why you might want to use it, and where it fits in the software development life cycle.
References:
• Web Application Security Consortium: http://www.webappsec.org/
• Web services: https://en.wikipedia.org/wiki/Web_Services_Description_Language
Uempty
Unit objectives
• Diagram the interactions between these applications
! AppScan Standard
! AppScan Enterprise
! AppScan Source
• Describe AppScan Standard and its uses
• Summarize how AppScan fits in the SDLC
Unit objectives
Uempty
Lesson 1 What is AppScan?
References:
• Web Application Security Consortium: http://www.webappsec.org/
• Web services: https://en.wikipedia.org/wiki/Web_Services_Description_Language
Uempty
AppScan overview
• AppScan is a web application security testing tool
! Automates web application security testing
! Copies websites to build a site model
! Sends attacks over HTTP
! Analyzes responses for evidence of vulnerability
• Facilitates security checks during all phases of the software development life cycle
• Can be deployed by developers, QA, security teams, or auditors
• Supports governance, reporting, and dashboards
AppScan overview
AppScan is a tool that automates web application security testing. It works by building a site model
by following links on the site until it is fully explored. Using the data gathered, it creates a list of
attacks and sends them over HTTP. Finally, it analyzes the responses it receives to see if they are
vulnerable.
Because AppScan is automated, it facilitates security testing during all phases of the software
development life cycle. It can be used by developers, security teams, QA, or auditors to help
discover potential vulnerabilities in a web application.
The AppScan reporting engine can deliver its findings through a variety of reports, including
industry standard reports, government or industry compliance reports, or data export for use by
third-party systems.
Uempty
Security testing is commonly divided into two classes: black-box and white-box testing. Black-box
testing requires no access to the source code. Input containing attacks are sent to the application,
and the output is analyzed. If the output shows evidence of the attack succeeding, it is deemed
vulnerable.
White-box testing, on the other hand, analyzes source code to find vulnerabilities. It tracks data flow
through the application, and if data enters and exits the program without being sanitized, this type
of test deems that input vulnerable.
Uempty
Dynamic analysis
- Analyze running web
Static analysis application
- Analyze source - Use during testing
code - Use HTTP tampering
- Use during
development
- Use taint analysis
and pattern
matching
Hybrid
d analysis
analy
- Correlate dynamic and static results
- Help remediate by identifying line of code
No single automated analysis technique can find all possible vulnerabilities. Each technique has its
own strengths and blind spots, which is why a single-point tool can leave you exposed. To find the
most vulnerabilities, you have to employ all the analysis techniques available today.
Static analysis examines the source code for potential vulnerabilities. Static analysis can be used
earlier in the development cycle because you do not need a running application. However, static
analysis can tend to produce a large volume of results, which can overwhelm development teams.
Also, developers might question whether an identified vulnerability is exploitable (that is, the issue
is mitigated somewhere else in the code, so it might not manifest itself as a true vulnerability).
Dynamic analysis tests a running application, by probing it the same way a hacker does. With
dynamic analysis results, it is easier to connect the vulnerability and a potential exploit. Dynamic
analysis relies on an ability to automatically traverse an application and test every possible input.
Because dynamic analysis requires a running application, it typically is not used until an application
is ready for functional testing later in the development cycle.
Hybrid analysis brings together dynamic and static analysis to correlate and verify the results.
Uempty
Uempty
Security AppScan Standard
• Is a desktop application for security analysts and penetration testers
• Provides advanced security testing that is based primarily on dynamic (black-box) analysis, but
also includes static analysis for client-side JavaScript
• Offers glass-box testing with runtime analysis that applies an internal agent to monitor
application behavior during a dynamic test, providing more accurate test results and identifying
specific lines of code
• Offers coverage of the latest rich-Internet applications and web technologies (web services,
SOAP, Adobe Flash, Ajax, and more)
Uempty
• Scope and
limitations Explore
• Login sequence
• Form filler • Application Test
• Application crawling
definition • Structure mapping Report
• Pretest probing
• Custom parameters • Analysis • Automatic testingg
• Glass box agent • Manual explore • Issue validation • Results review
• Scan expert
• Manual test • Interactive report
• Remediation
report
• Printed report
• Export to defect
tracking systems
The first step in using AppScan standard is to configure the scan. As every website is different,
configuring the scan to the website in question is a very important step. Once configured, AppScan
will explore the site using either a manual, user-driven exploration or an automatic spider. The
automatic spider builds a site model that AppScan uses to create a list of tests. These tests are
then sent over HTTP, and the responses are analyzed for evidence that they were successful.
Finally, AppScan can export the results in a variety of report formats in both human- and
machine-readable formats.
Uempty
AppScan Standard has several features to ensure quality results. This course touches on each of
these features.
Uempty
Dynamic links JavaScript simulates user interaction Adobe Flash simulates user interaction (AS 2.0/3.0 Flash
and Flex)
Security testing JavaScript Security Analyzer is a hybrid analysis for Adobe Flash simulates user interaction (AS 2.0/3.0 Flash
detecting client-side issues; it supports HTML5 and Flex)
Ajax and JavaScript frameworks, such as Dojo and
ICEfaces
Support for analysis and testing of JSON messages
Framework JavaScript Security Analyzer is a hybrid analysis for Adobe Flash and Flex applications
support detecting client-side issues; it supports HTML5
Ajax and JavaScript frameworks, such as Dojo and
ICEfaces
Support for analysis and testing of JSON messages
Special handling JavaScript Security Analyzer is a hybrid analysis for Support for analysis and testing of Adobe Action Message
detecting client-side issues; it supports HTML5 Format (AMF)
Ajax and JavaScript frameworks, such as Dojo and
ICEfaces
Support for analysis and testing of JSON messages
Rich Internet Applications (RIA), Web 2.0, and Ajax applications rely heavily on JavaScript and
Adobe Flash technologies. Adobe Action Message Format (AMF) is a binary protocol that is used
mostly in Adobe Flex applications.
Uempty
WASC is an organization whose goal is to standardize discussions about web application security
and provide central resource for security experts.
Uempty
Web services
• AppScan is able to scan web services
! Web services are machine-readable equivalent of websites
! Use HTTP protocol to exchange messages between clients and servers
• AppScan has built-in support for common web service languages
• Built-in GSC tool allows for exploration of web services
Web services
Uempty
Uempty
Extensibility
• Use .NET SDK for simple integrations
! Incorporate security testing into your environment
! Expose the Security AppScan Standard capabilities to developers
• Use Command Line Interface (CLI) for integrations with build and automation systems
! Integrate Security AppScan Standard into nongraphical environments
! Run scans, generate reports, and log defects
• Extend with Security AppScan Extensions
! Augment the product and adapt it to your own process
! Add capabilities from email alerts to complex integrations with tools
• Use PyScan as a penetration testing framework
! Use a platform for extending security testing
! Customize a scan for a specific audit
Extensibility
Uempty
Lesson 2 AppScan Standard user interface
In this lesson, you learn the basics about the AppScan Standard user interface.
Uempty
User interface
Status Bar
AppScan Standard overview © Copyright IBM Corporation 2015
User interface
Uempty
Uempty
Detail pane
Pane shows details about the selected vulnerability
• Issue information tab
! Summary of information that is available on other tabs
! Can show additional information added by the results expert
• Advisory
! Technical details on the selected issue with reference links
! Description of what to fix and reason for fixing it
• Fix Recommendation
! Tasks to make your web application secure
! Step-by-step instructions
• Request/Response
! Information about the tests and their specific variants
! Allows for deep investigation into the vulnerability
Detail pane
Uempty
Uempty
Reports
AppScan can create several types of reports
• Security report
! Configurable report showing security details
! Able to configure the amount of detail in the report
! Several report templates available
• Industry standard and regulatory compliance reports
Prepares reports that show whether any vulnerabilities could cause noncompliance with laws or regulations
• Delta analysis reports
Compares two scans and shows differences between them
• Template-based reports
Allows you to create report templates in Microsoft Word
Reports
The AppScan reporting engine allows you to create a wide variety of reports. AppScan allows you
to configure the level of detail and what content to include.
Uempty
Lesson 3 AppScan in the SDLC
In this lesson, you learn about where AppScan fits inside the software development life cycle.
Uempty
To combat the growing threat of web application breaches, it is important to address three key
areas of your business: your people, your processes, and your technology. It is imperative that the
people that develop and deploy your web applications, whether they are staff members or external
contractors, understand the fundamentals of secure design principles and security threats.
In the past, security was viewed as an IT problem, not a development problem. But security experts
realized that security starts at the code level. Therefore, it is important to provide your developers
with the training they need to stay on top of changing security threats and learn about existing and
emerging methods for mitigating them.
Uempty
As almost anyone who ever developed software can tell you, it is both easier and significantly
cheaper to get it right the first time. That approach is why integrating web application security
testing into the software development life cycle from the start is essential for establishing good risk
management.
While it is important to have a dedicated and knowledgeable security assessment team perform a
final review, it is equally important to integrate security into the early stages of application
development to focus on security issues as they appear. By approaching the issues proactively, you
save time and reduce your development costs.
It is also important to document and evaluate the results of these initiatives. Metrics to examine
include key components such as threats, vulnerabilities, remediation tasks, and criticality.
Documenting these measurements helps you establish baselines and further aid your security
efforts over time.
You can use a number of ways to implement proper security protocols in your web-based
applications. Although effective, manual penetration testing alone can be time consuming, labor
intensive, and costly.
Supplementing manual testing procedures with automated web application security tools helps you
gain a consistent, reliable, and scalable analysis of your web application security vulnerabilities
even across large, diverse IT environments. Such tools help drive down testing costs by automating
many manual tasks.
Uempty
Unit summary
• Diagram the interactions between these applications
! AppScan Standard
! AppScan Enterprise
! AppScan Source
• Describe AppScan Standard and its uses
• Summarize how AppScan fits in the SDLC
Unit summary