IBM AppScan Source is a static application security testing (SAST) tool that scans source code to identify vulnerabilities like SQL injection and cross-site scripting. It has components for analysis, development, remediation, and automation. It can be deployed as a standard desktop tool, in a small workgroup, or in an enterprise environment integrated with other tools. AppScan Source features include importing apps, configuring scans, viewing results, and generating reports. It aims to help security analysts, developers, and organizations identify and fix issues to prevent data breaches and other security problems.

1. IBM AppScan Source
The SAST solution
Thuc X.Vu <thuc@labsofthings.com>
Reseacher, founder of IoT and Data processing Labs
Vietsoftware International Inc.
Website: http://labsofthings.com/

2. IBM AppScan Solution2 Vietsoftware International Inc.
Agenda
 Understanding what AppScan Source is
 AppScan Source components
 Deployment models
 Features and Tooling
 Workflow
 DEMO

3. IBM AppScan Solution3 Vietsoftware International Inc.
Understanding what AppScan Source is
 AppScan Source is a static application security testing
(SAST) solution.
 Scans application source code for security vulnerabilities:
SQL injection, command injection, cross-site scripting, buffer
overflow
 These vulnerabilities are exploitable weaknesses in code
that lead to:
1. Loss of reputation
2. Loss of money
3. A breach or an exposure of sensitive information
4. Business noncompliance
 AppScan Source enables organizations to proactively
identify and mitigate security risk.

4. IBM AppScan Solution5 Vietsoftware International Inc.
AppScan Source components
Source for Analysis, Source for Development, Source
for Remediation, Source for Automation
1. AppScan Source for Automation
Allow Build Teams to execute Scans at Build time
Command line tooling and build tools allow for ease of
automation
Assessment Publishing and Reporting directly from
Automation

5. IBM AppScan Solution6 Vietsoftware International Inc.
AppScan Source components (Cont.)
2. AppScan Source for Development
Allow Developers to perform Security Scans
Plugins supplied for IDE
Remediate Vulnerabilities
3. AppScan Source for Analysis
 Allow Security Analysts to Configure Applications for
SAST Scanning, Optimize Scan Configuration to Focus
on Vulnerable Source Code
 Analyze, isolate, and take action on priority vulnerabilities.
 Provides security analysts, QA managers, and
development managers with fast time-to-results.

6. IBM AppScan Solution7 Vietsoftware International Inc.
AppScan Source components (Cont.)
AppScan Source Database
 An out-of-the-box database that persists the AppScan
Source Security Knowledgebase data, assessment
data, and application/project inventory.
AppScan Source command line interface
(CLI) client
 Provides command line access to various AppScan
Source functions to enable integration, automation, and
scripting.
 Plugins for Make, Ant, and Maven allow the
configuration process to be
automated

7. IBM AppScan Solution8 Vietsoftware International Inc.
AppScan Source Edition Products vs Roles

8. IBM AppScan Solution9 Vietsoftware International Inc.
Agenda
 Understanding what AppScan Source is
 AppScan Source components
 Deployment models
 Features and Tooling
 Workflow
 DEMO

9. IBM AppScan Solution10 Vietsoftware International Inc.
Standard desktop deployment

10. IBM AppScan Solution11 Vietsoftware International Inc.
Standard desktop deployment (Cont.)
Used in small organization, for a security
analyst/auditor who performs security
assessments
No defect tracking system integration or build
integration
Using the AppScan Source administrative
account, and no LDAP Directory Server
integration

11. IBM AppScan Solution12 Vietsoftware International Inc.
Small workgroup deployment

12. IBM AppScan Solution13 Vietsoftware International Inc.
Small workgroup deployment (Cont.)
Used in small to moderate organization
Dedicated to different roles: Administrator,
Manager, Security Analyst, Developer
Build Automation server integration

13. IBM AppScan Solution14 Vietsoftware International Inc.
Enterprise workgroup deployment

14. IBM AppScan Solution15 Vietsoftware International Inc.
Enterprise workgroup deployment (Cont.)
Integrate with Defect tracking system
Authentication with LDAP integration

15. IBM AppScan Solution16 Vietsoftware International Inc.
Agenda
 Understanding what AppScan Source is
 AppScan Source components
 Deployment models
 Features and Tooling
 Workflow
 DEMO

16. IBM AppScan Solution17 Vietsoftware International Inc.
AppScan Source Features and Tooling
 Configuration perspective:
- Import existing applications from IDEs
- Configure AppScan Source applications and projects
- Scan code
- Create and manage applications, projects, and
attributes
 Triage perspective:
- View scan results to prioritize remediation workflow
- Organize findings
- Filter findings
- Promote, demote, and dispatch findings for
remediation
 Analysis perspective:
- Drill down to individual findings
- Track data flow visually though the source code (trace)
- Access contextual remediation assistance
- Generate Reports

17. IBM AppScan Solution18 Vietsoftware International Inc.
Agenda
 Understanding what AppScan Source is
 AppScan Source components
 Deployment models
 Features and Tooling
 Workflow
 DEMO

18. IBM AppScan Solution19 Vietsoftware International Inc.
Continuous Improvement Environment
CONFIGURE
TRIAGE
ASSIGNREMEDIATE
AppScan Source
•For Analysis
•For Development
•For Automation
AppScan Enterprise
AppScan Source
•For Remediation
•For Development
REPORT
High-confidence findings
>>>>>
>
>
> >
>
>>
> > > > >
>
AppScan Source
•For Analysis
AppScan Source
•For Analysis
SCAN

19. IBM AppScan Solution20 Vietsoftware International Inc.
Security Analyst Workflow
Security Professionals using AppScan Source for Security:
Total time: 2-3 weeks / application
• Applications are scanned once per year or less
• Minimal carry-over for subsequent scans

20. IBM AppScan Solution21 Vietsoftware International Inc.
Developer Workflow
Any developer using AppScan Source for Development:
Total Time: ½ - 1 day
•Developers cannot develop while scanning (can take hours)
•Developers are not security experts
•Scan workflow interrupts agile workflows

21. IBM AppScan Solution22 Vietsoftware International Inc.
Agenda
 Understanding what AppScan Source is
 AppScan Source components
 Deployment models
 Features and Tooling
 Workflow
 DEMO

22. IBM AppScan Solution23 Vietsoftware International Inc.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise
technology users to select only those vendors with the highest ratings. Gartner research publications consist of the
opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all
warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness
for a particular purpose
Magic Quadrant for Application
Security Testing
Neil MacDonald, Joseph Feiman
July 2, 2013
This Magic Quadrant graphic was published by Gartner, Inc. as
part of a larger research note and should be evaluated in the
context of the entire report. The link to the Gartner report is
available upon request from IBM.
“The market for application security testing
is changing rapidly. Technology trends,
such as mobile applications, advanced
Web applications and dynamic
languages, are forcing the need to
combine dynamic and static testing
capabilities, which is reshaping the overall
market.”
Gartner has recognized IBM as a leader in the
Magic Quadrant for Application Security Testing
(AST)

23. IBM AppScan Solution24 Vietsoftware International Inc.
Additional Information
 Documents
 EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Apps
https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-
WW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W
 AppScan Source Data Sheet
http://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF
 AppScan Standard Data Sheet:
http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF
 AppScan Enterprise Data Sheet
ftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF
 Posts
 2013 Gartner Application Security Testing MQ and the Evolution of Software Security
http://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/
 Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST)
http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/
 Podcasts
 2013 Gartner Magic Quadrant for Application Security Testing
 http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing
 Application + Threat + Security intelligence = Priceless
 http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless
 Taking Application Security from the Whiteboard to Reality
 http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality

24. IBM AppScan Solution25 Vietsoftware International Inc.
Videos
Overview of IBM Security AppScan
http://www.youtube.com/watch?v=9R4IjZpKt8I
How College Board is Building Security into Application Development
http://www.youtube.com/watch?v=TtqhlcTnbg8
Building Better, More Secure Applications
http://www.youtube.com/watch?v=UcN2uUolgKk
Using Application Security Testing to Increase Deployment Speed
http://www.youtube.com/watch?v=VImy3ilYUSk
IBM Security AppScan 8.7 for iOS mobile application support
http://www.youtube.com/watch?v=I73tbAmJIGw
IBM Security AppScan 8.7 for iOS Applications
http://www.youtube.com/watch?v=egnEH-GGQEI
IBM Security AppScan: Analysis Perspective
http://www.youtube.com/watch?v=UZD53ZgV848

25. IBM AppScan Solution26 Vietsoftware International Inc.
Credits
 Implemented IBM Appscan for customers in Vietnam:
Vietcombank; VietinBank; Vietnam Customs
 Some presentations on Enterprise Mobile Solution, IoT,
Security, payment at
 http://www.slideshare.net/papaiking/

26. IBM AppScan Solution27 Vietsoftware International Inc.
Smarter security for a smarter planet