The document discusses the IBM AppScan security solution, emphasizing application security best practices and vulnerabilities such as cross-site scripting and SQL injection. It outlines different types of analysis methods, including static and dynamic analysis, and describes the AppScan products used for security testing throughout the software development lifecycle. Additionally, it includes trends in web application vulnerabilities and highlights the importance of integrating security testing into the development process.

1. IBM AppScan
The total security solution
Thuc X.Vu <thuc@labsofthings.com>
Reseacher, founder of IoT and Data processing Labs
Vietsoftware International Inc.
Website: http://labsofthings.com/

2. IBM AppScan Solution2 Vietsoftware International Inc.
Agenda
 Introduction to security
 Best Practices for Application Security
 IBM AppScan security solution
 DEMO

3. IBM AppScan Solution3 Vietsoftware International Inc.
Introduction to security
Desktop Transport Network Web Applications
Antivirus
Protection
Encryption
(SSL)
Firewalls /
IDS / IPS
Firewall
Web Servers
Databases
Backend
Server
Application
Servers
Info Security LandscapeInfo Security Landscape

4. IBM AppScan Solution4 Vietsoftware International Inc.
Hackers Exploit Unintended Functionality to Attack
Apps
Intended Functionality
Unintended Functionality
Actual Functionality

5. IBM AppScan Solution5 Vietsoftware International Inc.
01/01/2006 union select
userid,null,username+','+password,null from users--
Application responds with user names and
passwords of other account holders!

6. IBM AppScan Solution6 Vietsoftware International Inc.
Application Threat Negative Impact Example Impact
Cross Site scripting Identity Theft, Sensitive Information Leakage,
…
Hackers can impersonate legitimate users, and control their
accounts.
Injection Flaws Attacker can manipulate queries to the DB /
LDAP / Other system
Hackers can access backend database information, alter it or steal
it.
Malicious File Execution Execute shell commands on server, up to full
control
Site modified to transfer all interactions to the hacker.
Insecure Direct Object Reference Attacker can access sensitive files and
resources
Web application returns contents of sensitive file (instead of
harmless one)
Cross-Site Request Forgery Attacker can invoke “blind” actions on web
applications, impersonating as a trusted user
Blind requests to bank account transfer money to hacker
Information Leakage and Improper
Error Handling
Attackers can gain detailed system
information
Malicious system reconnaissance may assist in developing further
attacks
Broken Authentication & Session
Management
Session tokens not guarded or invalidated
properly
Hacker can “force” session token on victim; session tokens can be
stolen after logout
Insecure Cryptographic Storage Weak encryption techniques may lead to
broken encryption
Confidential information (SSN, Credit Cards) can be decrypted by
malicious users
Insecure Communications Sensitive info sent unencrypted over insecure
channel
Unencrypted credentials “sniffed” and used by hacker to
impersonate user
Failure to Restrict URL Access Hacker can access unauthorized resources Hacker can forcefully browse and access a page past the login
page
The OWASP Top 10

7. IBM AppScan Solution7 Vietsoftware International Inc.
2013 Web Application Vulnerabilities Found Trend

8. IBM AppScan Solution8 Vietsoftware International Inc.
Agenda
 Introduction to security
 Best Practices for Application Security
 IBM AppScan security solution
 DEMO

9. IBM AppScan Solution9 Vietsoftware International Inc.
Building Security Into the Development Process
*Graphics from OWASP.com
• Test existing deployed apps
• Eliminate security exposure in
live applications
Production
• Test apps before going to production
• Deploy secure web applications
Deploy
• Test apps for security issues in QA
organization along with performance and
functional testing
• Reduce costs of security testing
Test
• Test apps for security issues in
Development identifying issues
at their earliest point
• Realize optimum security
testing efficiencies (cost
reduction)
Development
• Security requirements, architecture,
threat modeling, etc
Define/Design

10. IBM AppScan Solution10 Vietsoftware International Inc.
Security Testing Within the Software Lifecycle
Build
Developers
SDLCSDLC
Developers
Developers
Coding QA Security Production
Application Security Testing Maturity

11. IBM AppScan Solution11 Vietsoftware International Inc.
Agenda
 Introduction to security
 Best Practices for Application Security
 IBM AppScan security solution
 DEMO

12. IBM AppScan Solution12 Vietsoftware International Inc.
Types of analysis method
• Static analysis: Approach for verifying software
(including finding defects) without executing software
– Source code vulnerability scanning tools, code inspections,
etc.
• Dynamic analysis: Approach for verifying software
(including finding defects) by executing software on
specific inputs & checking results (“oracle”)
– Functional testing, web application scanners, fuzz testing,
etc.
• Hybrid analysis: Combine above approaches

13. IBM AppScan Solution14 Vietsoftware International Inc.
Application Security Testing
• Training – Applications Security & Product ( Instructor led , self paced – classroom & web based)
• Test policies, test templates and access control
• Dashboards, detailed reports & trending
• Manage regulatory requirements such as DIACAP, PCI, GLBA and HIPAA (40+ out-of-the-box compliance reports)
Scanning
Techniques
Applications
Governance &
Collaboration
Web Applications
Web Services
• Web 2.0HTML5
• AJAX
• Java Script
• Adobe Flash & Flex
Mobile
Application
s
• iPhone ObjectiveC
• Android Java
Programming Languages
• C#
• ASP.NET
• VB.NET
• Classic ASP
• ColdFusion
• VB6, VBScript
• HTML
• PHP
• Perl
• PL/SQL, T-SQL
• Client-side JavaScript
• Server-side JavaScript
Build Systems
improve scan
efficiencies
Integrated
Audience Development teams Security teams Penetration Testers
CODING BUILD QA SECURITY PRODUCTION
Static analysis
)white box(
SDLC
• Java/Android
• JSP
• C, C++
• COBOL
• SAP ABAP
(Rational Build Forge, Rational
Team Concert,
Hudson, Maven)
Defect Tracking
Systems
track remediation
(Rational Team Concert, Rational
ClearQuest,
HP QC, MS Team Foundation
Server)
IDEs
remediation assistance
(RAD, Rational Team
Concert,
Eclipse, Visual Studio
Security Intelligence
raise threat level
(SiteProtector, QRadar, Guardium)
Source code vulnerabilities & code quality risks
Data & Call Flow analysis tracks tainted data
Dynamic analysis
)black box(
Live Web Application
Web crawling & Manual testing
Hybrid Glass Box analysis
Purchased
Applications

14. IBM AppScan Solution15 Vietsoftware International Inc.
IBM AppScan security solution
1. IBM AppScan Source
2. IBM AppScan Standard
3. IBM AppScan Enterprise
All work within the Software Lifecycle

15. IBM AppScan Solution16 Vietsoftware International Inc.
AppScan Source for SAST
 AppScan Source is a static application security testing (SAST) solution.
- Scans application source code for security vulnerabilities
• SQL injection, command injection, cross-site scripting, buffer overflow
- These vulnerabilities are exploitable weaknesses in code that lead to:
• Loss of reputation
• Loss of money
• A breach or an exposure of sensitive information
• Business noncompliance
 AppScan Source enables organizations to proactively identify and mitigate security risk.
 There are four distinct AppScan Source components:
- AppScan Source for Remediation
- AppScan Source for Development
- AppScan Source for Automation
- AppScan Source for Analysis

16. IBM AppScan Solution17 Vietsoftware International Inc.
AppScan Source SAST Lifecycle
CONFIGURE
AppScan Source
•For Remediation
•For Development
AppScan Source
•For Analysis
•For Development
•For Automation
SCAN
REMEDIATE
AppScan Source
•For Analysis
TRIAGE
High-confidence findings
ASSIGN
AppScan Enterprise
REPORT
>>>>>
AppScan Source
•For Analysis

17. IBM AppScan Solution18 Vietsoftware International Inc.
 Is a security vulnerability testing tool for web
applications and web services
 Features the most advanced testing methods
What is AppScan Standard?

18. IBM AppScan Solution19 Vietsoftware International Inc.
Scan Technologies for AppScan standard
Employs three distinct testing techniques:
 Dynamic Analysis (“black-box scanning”)
testing and evaluating application responses
during run-time
 Static Analysis (“white-box scanning”)
analyzes JavaScript code in the context of the full
web page
 Interactive Analysis (“glass box scanning”)
interact with a dedicated glass-box agent which
resides on the web-server itself

19. IBM AppScan Solution20 Vietsoftware International Inc.
Workflow for AppScan Standard

20. IBM AppScan Solution21 Vietsoftware International Inc.
AppScan Enterprise
Security Team
Integrate Web Application Security in the SDLC
AppScan Enterprise
Manage Problem
Resolution Through
Trending Reports
Reuse and Run
Multiple Scans
Across Applications
MONITORSCALE
Push Reports to
Developers, QA,
and
Non-Security Staff
INFORM
What is AppScan Enterprise?

21. IBM AppScan Solution23 Vietsoftware International Inc.
DEMO – Test Site And Project (Altoro Mutual)
URL: http://demo.testfire.net
Account: jsmith / demo1234

22. IBM AppScan Solution24 Vietsoftware International Inc.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise
technology users to select only those vendors with the highest ratings. Gartner research publications consist of the
opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all
warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness
for a particular purpose
Magic Quadrant for Application
Security Testing
Neil MacDonald, Joseph Feiman
July 2, 2013
This Magic Quadrant graphic was published by Gartner, Inc. as
part of a larger research note and should be evaluated in the
context of the entire report. The link to the Gartner report is
available upon request from IBM.
“The market for application security testing
is changing rapidly. Technology trends,
such as mobile applications, advanced
Web applications and dynamic
languages, are forcing the need to
combine dynamic and static testing
capabilities, which is reshaping the overall
market.”
Gartner has recognized IBM as a leader in the
Magic Quadrant for Application Security Testing
(AST)

23. IBM AppScan Solution25 Vietsoftware International Inc.
Additional Information
 Documents
 EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Apps
https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-
WW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W
 AppScan Source Data Sheet
http://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF
 AppScan Standard Data Sheet:
http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF
 AppScan Enterprise Data Sheet
ftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF
 Posts
 2013 Gartner Application Security Testing MQ and the Evolution of Software Security
http://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/
 Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST)
http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/
 Podcasts
 2013 Gartner Magic Quadrant for Application Security Testing
 http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing
 Application + Threat + Security intelligence = Priceless
 http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless
 Taking Application Security from the Whiteboard to Reality
 http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality

24. IBM AppScan Solution26 Vietsoftware International Inc.
Videos
Overview of IBM Security AppScan
http://www.youtube.com/watch?v=9R4IjZpKt8I
How College Board is Building Security into Application Development
http://www.youtube.com/watch?v=TtqhlcTnbg8
Building Better, More Secure Applications
http://www.youtube.com/watch?v=UcN2uUolgKk
Using Application Security Testing to Increase Deployment Speed
http://www.youtube.com/watch?v=VImy3ilYUSk
IBM Security AppScan 8.7 for iOS mobile application support
http://www.youtube.com/watch?v=I73tbAmJIGw
IBM Security AppScan 8.7 for iOS Applications
http://www.youtube.com/watch?v=egnEH-GGQEI
IBM Security AppScan: Analysis Perspective
http://www.youtube.com/watch?v=UZD53ZgV848

25. IBM AppScan Solution27 Vietsoftware International Inc.
Credits
 Implemented IBM Appscan for customers in Vietnam:
Vietcombank; VietinBank; Vietnam Customs
 Some presentations on Enterprise Mobile Solution,
Security, ECommerce at
http://www.slideshare.net/papaiking/

26. IBM AppScan Solution28 Vietsoftware International Inc.
Smarter security for a smarter planet