IBM AppScan - the total software security solution, Content:
- Introduction to security
- Best Practices for Application Security
- IBM AppScan security solution
- DEMO
IBM AppScan Source is a static application security testing (SAST) tool that scans source code to identify vulnerabilities like SQL injection and cross-site scripting. It has components for analysis, development, remediation, and automation. It can be deployed as a standard desktop tool, in a small workgroup, or in an enterprise environment integrated with other tools. AppScan Source features include importing apps, configuring scans, viewing results, and generating reports. It aims to help security analysts, developers, and organizations identify and fix issues to prevent data breaches and other security problems.
IBM Rational App Scan Tester Edition and Quality ManagerАлександр Шамрай
Rational AppScan Tester Edition for Rational Quality Manager allows QA teams to manage security testing alongside other testing types. It seamlessly integrates with Rational Quality Manager to automate security scan execution and defect tracking. The demo showed how to create a web application security scan, run it, analyze results, report a defect, and see the impact on the dashboard. This enables organizations to scale security testing within their existing development and testing processes.
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
The document discusses a workshop on web application security using IBM Rational AppScan. It introduces the importance of securing web applications and provides an overview of common vulnerabilities like cross-site scripting and SQL injection. The workshop aims to help attendees understand application security risks and how to use AppScan to automate vulnerability scanning and analysis. Hands-on labs are included to demonstrate AppScan's vulnerability detection capabilities.
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
Static Application Security Testing (SAST) introduces challenges with existing Software Development Lifecycle Configurations. Strategies at different points of the SDLC improve deployment time, while still improving the quality and security of the deliverable. This session will discuss the different strategies that can be implemented for SAST within SDLC—strategies catering to developers versus security analysts versus release engineers. The strategies consider the challenges each team may encounter, allowing them to incorporate security testing without jeopardizing deadlines or existing process.
IBM AppScan - the total software security solution, Content:
- Introduction to security
- Best Practices for Application Security
- IBM AppScan security solution
- DEMO
IBM AppScan Source is a static application security testing (SAST) tool that scans source code to identify vulnerabilities like SQL injection and cross-site scripting. It has components for analysis, development, remediation, and automation. It can be deployed as a standard desktop tool, in a small workgroup, or in an enterprise environment integrated with other tools. AppScan Source features include importing apps, configuring scans, viewing results, and generating reports. It aims to help security analysts, developers, and organizations identify and fix issues to prevent data breaches and other security problems.
IBM Rational App Scan Tester Edition and Quality ManagerАлександр Шамрай
Rational AppScan Tester Edition for Rational Quality Manager allows QA teams to manage security testing alongside other testing types. It seamlessly integrates with Rational Quality Manager to automate security scan execution and defect tracking. The demo showed how to create a web application security scan, run it, analyze results, report a defect, and see the impact on the dashboard. This enables organizations to scale security testing within their existing development and testing processes.
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
The document discusses a workshop on web application security using IBM Rational AppScan. It introduces the importance of securing web applications and provides an overview of common vulnerabilities like cross-site scripting and SQL injection. The workshop aims to help attendees understand application security risks and how to use AppScan to automate vulnerability scanning and analysis. Hands-on labs are included to demonstrate AppScan's vulnerability detection capabilities.
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
Static Application Security Testing (SAST) introduces challenges with existing Software Development Lifecycle Configurations. Strategies at different points of the SDLC improve deployment time, while still improving the quality and security of the deliverable. This session will discuss the different strategies that can be implemented for SAST within SDLC—strategies catering to developers versus security analysts versus release engineers. The strategies consider the challenges each team may encounter, allowing them to incorporate security testing without jeopardizing deadlines or existing process.
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
Abstract:
Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are:
• An understanding the real value of each type of AST tool (SAST, DAST, IAST);
• How to leverage your tools for better security visibility and process efficiency;
• Steps to find the right tool for your security program;
• Keys to finding the best stage of the SDLC to implement each tool type within your security program;
• How to integrate new tools with your existing DevOps or Agile environments and processes
Additional Takeaways:
• Examine the strengths and limitations of SAST, DAST, and IAST tools
• Learn how to choose the right tools for your security program
• Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes
• Provide security visibility to developers, managers, and executives by enhancing your existing technology
• Learn to use your tools to improve the efficiency of security tasks that are currently manual
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
Veracode provides the world’s leading Application Risk Management Platform. Veracode's patented and proven cloud-based capabilities allow customers to govern and mitigate software security risk across a single application or an enterprise portfolio with unmatched simplicity. Veracode was founded with one simple mission in mind: to make it simple and cost-effective for organizations to accurately identify and manage application security risk.
The document summarizes Veracode's application security platform. It continuously learns from scans to address evolving threats. It uses a cloud-based platform that is massively scalable and allows organizations to start immediately without hiring consultants or installing servers. It also provides program managers to help implement a centralized, policy-based approach to managing application security across an enterprise.
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
Deploying insecure web applications into production can be risky -- resulting in potential loss of customer data, corporate intellectual property and/or brand value. Yet many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS).
This is because traditional approaches to application security are typically complex, manual and time-consuming – deterring agile teams from incorporating code analysis into their sprints.
But it doesn’t have to be that way. By incorporating key SecDevOps concepts into the Software Development Lifecycle (SDLC) – including centralized policies and tighter collaboration and visibility between security and DevOps teams – we can now embed continuous code-level security and assessment into our agile development processes. We’ve uncovered eight patterns that work together to transform cumbersome waterfall methodologies into efficient and secure agile development.
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
http://www.ddifrontline.com
Digital Defense Inc (DDI) and Veracode present the "Crafting Super-Powered Risk Assessments" webinar and slides. The presentation covers security assessments, application security, and how to manage risk.
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
Published on Nov 26, 2013
AppSec at DevOps Speed and Portfolio Scale - Jeff Williams
Watch this talk on YouTube: https://www.youtube.com/watch?v=cIvOth0fxmI
Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops.
Unfortunately, software assurance hasn't kept up with the times. For the most part, our security techniques were built to work with the way software was built in 2002. Here are some of the technologies and practices that today's best software assurance techniques *can't*handle: JavaScript, Ajax, inversion of control, aspect-oriented programming, frameworks, libraries, SOAP, REST, web services, XML, JSON, raw sockets, HTML5, Agile, DevOps, WebSocket, Cloud, and more. All of these rest pretty much at the core of modern software development.
Although we're making progress in application security, the gains are much slower than the stunning advances in software development. After 10 years of getting further behind every day, software *assurance* is now largely incompatible with modern software *development*. It's not just security tools -- application security processes are largely incompatible as well. And the result is that security has very little influence on the software trajectory at all.
Unless the application security community figures out how to be a relevant part of software development, we will continue to lag behind and effect minimal change. In this talk, I will explore a radically different approach based on instrumenting an entire IT organization with passive sensors to collect realtime data that can be used to identify vulnerabilities, enhance security architecture, and (most importantly) enable application security to generate value. The goal is unprecedented real-time visibility into application security across an organization's entire application portfolio, allowing all the stakeholders in security to collaborate and finally become proactive.
Speaker
Jeff Williams
CEO, Aspect Security
Jeff is a founder and CEO of Aspect Security and recently launched Contrast Security, a new approach to application security analysis. Jeff was an OWASP Founder and served as Global Chairman from 2004 to 2012, contributing many projects including the OWASP Top Ten, WebGoat, ESAPI, ASVS, and more. Jeff is passionate about making it possible for anyone to do their own continuous application security in real time.
Innovating Faster with Continuous Application Security Jeff Williams
DevSecOps tutorial and demonstration. Build your pipeline with IAST, RASP, and OSS. Try Contrast community edition full strength DevSecOps platform for testing, protecting, and open source analysis -- all for free. https://www.contrastsecurity.com/contrast-community-edition
Veracode is a well-established US-based provider of application security testing (AST) services including static application security testing (SAST), dynamic application security testing (DAST), mobile AST, and software composition analysis (SCA). Veracode offers a broad set of AST services to help organizations build and deploy applications faster while reducing business risk. The company pioneered binary code analysis and was an early innovator in mobile AST and SCA. Veracode aims to help customers reduce risk across their entire software development lifecycle through its unified cloud-based platform and services.
This article examines the emerging need for software assurance. As defense contractors continue to develop systems for the Department of Defense (DoD) those systems must meet stringent requirements for deployment. However as over half of the vulnerabilities are found at the application layer organizations must ensure that proper mechanisms are in place to ensure the integrity, availability, and confidentiality of the code is maintained. Download paper at https://www.researchgate.net/publication/255965523_Integrating_Software_Assurance_into_the_Software_Development_Life_Cycle_(SDLC)
Agenda:
- SDLC vs S-SDLC
- Mobile development security process
- What tools using for security testing?
- How to integrate into existing processes?
- What additionally you can do?
The Web AppSec How-To: The Defender's ToolboxCheckmarx
Web application security has made headline news in the past few years. In this article, we review the various Web application security tools and highlight important decision factors to help you choose the application security technology best suited for your environment.
As presented at OPAL event in Vienna on Nov. 23rd 2017.
Android is now including enterprise features needed by rugged devices like the ones from Zebra Technologies. In this presentation I'm explaining which are these new features and which gaps still remains with end-user requirements.
This document provides guidance on building an application security program. It discusses common application security threats and vulnerabilities. The goal of application security is to reduce application risks. Methods include static code analysis, dynamic testing, and manual verification at different stages of the software development lifecycle. The document recommends starting simple, setting policies and standards, scaling application security as development scales, and verifying third party applications. It emphasizes the importance of continuous improvement, metrics, and alignment with development processes.
Security testing requires analyzing software from the perspective of an attacker to identify potential vulnerabilities. It involves understanding key information sources, adopting an attacker mindset when considering a wide range of unexpected inputs, and determining when enough testing has been done to verify security. Automation plays an important role by allowing for larger test coverage, regression testing, and improved efficiency compared to manual security testing.
Even though Healthcare applications are a primary target for cyber-attacks, a new study from IDG Research reveals that sixty percent of internally developed applications are not assessed for critical security vulnerabilities such as SQL Injection and Cross-Site Scripting. IT leaders expect the number of healthcare applications to increase as organizations increasingly rely on software innovation. How will healthcare application security teams close this gap?
This document discusses software development center web application security testing tools. It provides an overview of the top 10 most critical web application security risks according to OWASP and describes several individual tools that can test for each risk, including W3AF for injection, ZAP for cross-site scripting, and Burp Suite for insecure direct object references. It also outlines steps for using the security tools to test a web application, generating a security report, and planning to address prioritized issues found.
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
This document provides an overview of application security services offered by Pactera Cybersecurity Consulting. It discusses why clients choose Pactera, the types of cybersecurity capabilities offered including application vulnerability testing, secure coding training, and third-party risk management. It then goes into more detail about application security testing methodologies and tools used for mobile, web, and API security assessments. Profiles of some of Pactera's cybersecurity experts are also included.
This document discusses IBM's Rational Application Security solution. It begins with current trends in application security, noting that web applications are the greatest risk and source of vulnerabilities. It then introduces Rational AppScan Suite for comprehensive application vulnerability management. The document discusses strategies for customer success, including integrating application security into the development lifecycle. It provides an overview of the Rational AppScan Suite and how IBM offers full application security coverage through additional products that complement Rational AppScan.
This document provides an overview of digital product security. It discusses common cyberattacks against businesses, security issues in product development processes, and tips for developing software with security by design. It emphasizes starting with secure requirements, using static analysis, dynamic testing, and manual reviews. Following secure SDLC practices and continuous integration of security tools can help improve security, reduce costs, and better satisfy security audits.
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
Abstract:
Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are:
• An understanding the real value of each type of AST tool (SAST, DAST, IAST);
• How to leverage your tools for better security visibility and process efficiency;
• Steps to find the right tool for your security program;
• Keys to finding the best stage of the SDLC to implement each tool type within your security program;
• How to integrate new tools with your existing DevOps or Agile environments and processes
Additional Takeaways:
• Examine the strengths and limitations of SAST, DAST, and IAST tools
• Learn how to choose the right tools for your security program
• Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes
• Provide security visibility to developers, managers, and executives by enhancing your existing technology
• Learn to use your tools to improve the efficiency of security tasks that are currently manual
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
Veracode provides the world’s leading Application Risk Management Platform. Veracode's patented and proven cloud-based capabilities allow customers to govern and mitigate software security risk across a single application or an enterprise portfolio with unmatched simplicity. Veracode was founded with one simple mission in mind: to make it simple and cost-effective for organizations to accurately identify and manage application security risk.
The document summarizes Veracode's application security platform. It continuously learns from scans to address evolving threats. It uses a cloud-based platform that is massively scalable and allows organizations to start immediately without hiring consultants or installing servers. It also provides program managers to help implement a centralized, policy-based approach to managing application security across an enterprise.
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
Deploying insecure web applications into production can be risky -- resulting in potential loss of customer data, corporate intellectual property and/or brand value. Yet many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS).
This is because traditional approaches to application security are typically complex, manual and time-consuming – deterring agile teams from incorporating code analysis into their sprints.
But it doesn’t have to be that way. By incorporating key SecDevOps concepts into the Software Development Lifecycle (SDLC) – including centralized policies and tighter collaboration and visibility between security and DevOps teams – we can now embed continuous code-level security and assessment into our agile development processes. We’ve uncovered eight patterns that work together to transform cumbersome waterfall methodologies into efficient and secure agile development.
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
http://www.ddifrontline.com
Digital Defense Inc (DDI) and Veracode present the "Crafting Super-Powered Risk Assessments" webinar and slides. The presentation covers security assessments, application security, and how to manage risk.
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
Published on Nov 26, 2013
AppSec at DevOps Speed and Portfolio Scale - Jeff Williams
Watch this talk on YouTube: https://www.youtube.com/watch?v=cIvOth0fxmI
Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops.
Unfortunately, software assurance hasn't kept up with the times. For the most part, our security techniques were built to work with the way software was built in 2002. Here are some of the technologies and practices that today's best software assurance techniques *can't*handle: JavaScript, Ajax, inversion of control, aspect-oriented programming, frameworks, libraries, SOAP, REST, web services, XML, JSON, raw sockets, HTML5, Agile, DevOps, WebSocket, Cloud, and more. All of these rest pretty much at the core of modern software development.
Although we're making progress in application security, the gains are much slower than the stunning advances in software development. After 10 years of getting further behind every day, software *assurance* is now largely incompatible with modern software *development*. It's not just security tools -- application security processes are largely incompatible as well. And the result is that security has very little influence on the software trajectory at all.
Unless the application security community figures out how to be a relevant part of software development, we will continue to lag behind and effect minimal change. In this talk, I will explore a radically different approach based on instrumenting an entire IT organization with passive sensors to collect realtime data that can be used to identify vulnerabilities, enhance security architecture, and (most importantly) enable application security to generate value. The goal is unprecedented real-time visibility into application security across an organization's entire application portfolio, allowing all the stakeholders in security to collaborate and finally become proactive.
Speaker
Jeff Williams
CEO, Aspect Security
Jeff is a founder and CEO of Aspect Security and recently launched Contrast Security, a new approach to application security analysis. Jeff was an OWASP Founder and served as Global Chairman from 2004 to 2012, contributing many projects including the OWASP Top Ten, WebGoat, ESAPI, ASVS, and more. Jeff is passionate about making it possible for anyone to do their own continuous application security in real time.
Innovating Faster with Continuous Application Security Jeff Williams
DevSecOps tutorial and demonstration. Build your pipeline with IAST, RASP, and OSS. Try Contrast community edition full strength DevSecOps platform for testing, protecting, and open source analysis -- all for free. https://www.contrastsecurity.com/contrast-community-edition
Veracode is a well-established US-based provider of application security testing (AST) services including static application security testing (SAST), dynamic application security testing (DAST), mobile AST, and software composition analysis (SCA). Veracode offers a broad set of AST services to help organizations build and deploy applications faster while reducing business risk. The company pioneered binary code analysis and was an early innovator in mobile AST and SCA. Veracode aims to help customers reduce risk across their entire software development lifecycle through its unified cloud-based platform and services.
This article examines the emerging need for software assurance. As defense contractors continue to develop systems for the Department of Defense (DoD) those systems must meet stringent requirements for deployment. However as over half of the vulnerabilities are found at the application layer organizations must ensure that proper mechanisms are in place to ensure the integrity, availability, and confidentiality of the code is maintained. Download paper at https://www.researchgate.net/publication/255965523_Integrating_Software_Assurance_into_the_Software_Development_Life_Cycle_(SDLC)
Agenda:
- SDLC vs S-SDLC
- Mobile development security process
- What tools using for security testing?
- How to integrate into existing processes?
- What additionally you can do?
The Web AppSec How-To: The Defender's ToolboxCheckmarx
Web application security has made headline news in the past few years. In this article, we review the various Web application security tools and highlight important decision factors to help you choose the application security technology best suited for your environment.
As presented at OPAL event in Vienna on Nov. 23rd 2017.
Android is now including enterprise features needed by rugged devices like the ones from Zebra Technologies. In this presentation I'm explaining which are these new features and which gaps still remains with end-user requirements.
This document provides guidance on building an application security program. It discusses common application security threats and vulnerabilities. The goal of application security is to reduce application risks. Methods include static code analysis, dynamic testing, and manual verification at different stages of the software development lifecycle. The document recommends starting simple, setting policies and standards, scaling application security as development scales, and verifying third party applications. It emphasizes the importance of continuous improvement, metrics, and alignment with development processes.
Security testing requires analyzing software from the perspective of an attacker to identify potential vulnerabilities. It involves understanding key information sources, adopting an attacker mindset when considering a wide range of unexpected inputs, and determining when enough testing has been done to verify security. Automation plays an important role by allowing for larger test coverage, regression testing, and improved efficiency compared to manual security testing.
Even though Healthcare applications are a primary target for cyber-attacks, a new study from IDG Research reveals that sixty percent of internally developed applications are not assessed for critical security vulnerabilities such as SQL Injection and Cross-Site Scripting. IT leaders expect the number of healthcare applications to increase as organizations increasingly rely on software innovation. How will healthcare application security teams close this gap?
This document discusses software development center web application security testing tools. It provides an overview of the top 10 most critical web application security risks according to OWASP and describes several individual tools that can test for each risk, including W3AF for injection, ZAP for cross-site scripting, and Burp Suite for insecure direct object references. It also outlines steps for using the security tools to test a web application, generating a security report, and planning to address prioritized issues found.
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
This document provides an overview of application security services offered by Pactera Cybersecurity Consulting. It discusses why clients choose Pactera, the types of cybersecurity capabilities offered including application vulnerability testing, secure coding training, and third-party risk management. It then goes into more detail about application security testing methodologies and tools used for mobile, web, and API security assessments. Profiles of some of Pactera's cybersecurity experts are also included.
This document discusses IBM's Rational Application Security solution. It begins with current trends in application security, noting that web applications are the greatest risk and source of vulnerabilities. It then introduces Rational AppScan Suite for comprehensive application vulnerability management. The document discusses strategies for customer success, including integrating application security into the development lifecycle. It provides an overview of the Rational AppScan Suite and how IBM offers full application security coverage through additional products that complement Rational AppScan.
This document provides an overview of digital product security. It discusses common cyberattacks against businesses, security issues in product development processes, and tips for developing software with security by design. It emphasizes starting with secure requirements, using static analysis, dynamic testing, and manual reviews. Following secure SDLC practices and continuous integration of security tools can help improve security, reduce costs, and better satisfy security audits.
This document provides an overview of application security challenges and trends. It discusses how attacks have moved to target applications directly rather than just infrastructure. It also notes that security is often an afterthought for developers focused on speed and that maturity varies. Key trends include shifting security left in the development process, addressing open source risks, and leveraging tools like machine learning. Stakeholders have different priorities around protecting the organization versus meeting deadlines. Primary use cases involve finding and fixing vulnerabilities throughout the development lifecycle. The Fortify platform aims to provide application security that scales with development needs.
This document provides an overview of application security and the Fortify portfolio. It discusses growing application security challenges such as attacks targeting the application layer. It also reviews key application security trends like shift left development and cloud transformation. The document outlines primary customer use cases and priorities around securing applications. Additionally, it summarizes the Fortify product offerings and how the portfolio addresses application security needs. Examples of Fortify customer success are also provided along with insights into the competitive application security market.
Protecting Mission-Critical Source Code from Application Security Vulnerabili...IBM Security
View on demand: http://event.on24.com/wcc/r/1071186/DB920F7B3EC241F8D7637CE3303D6585
Session 2 of IBM’s #CoverYourApps with Application Security on Cloud Webinar Series
In this session, you’ll learn how to test application source code for potential security vulnerabilities, so that you can confidently release your organization’s applications. Special emphasis will paid on how to test code quickly and effectively, in order to keep up with the ever-increasing pace of application release schedules.
Check out the rest of our #CoverYourApps with IBM’s Application Security on Cloud Webinar Series! Register today for all three to get up to speed on the latest from IBM on Application Security on Cloud.
This document discusses SoftServe's approach to application security testing. It outlines typical security processes, reports, and issues found. It then proposes an integrated security process using both static code analysis and dynamic testing. This would involve deploying applications through a CI pipeline to security tools to identify vulnerabilities early in development cycles. The benefits are presented as reduced remediation costs, improved knowledge, and full technology coverage through internal testing versus third parties.
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation application security tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can:
Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities.
Auto verify, prioritize and triage vulnerability findings in real time with 100% confidence.
Fully automate secure app delivery and deployment, without the need for extra security scans or processes.
Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.
The document discusses starting a software security initiative within an organization using a maturity-based and metrics-driven approach. It recommends assessing the current maturity level, defining security standards and processes, and implementing security activities throughout the software development lifecycle (SDLC). Key metrics to track include the percentage of issues identified and fixed by lifecycle phase, average time to fix vulnerabilities, and vulnerability density.
Security Services and Approach by Nazar TymoshykSoftServe
The document discusses SoftServe's security services and approach to application security testing. It provides an overview of typical security reports, how the security process often looks in reality versus how it should ideally be, and how SoftServe aims to minimize repetitive security issues through practices like automated security tests, secure coding trainings, and vulnerability scans integrated into continuous integration/delivery pipelines. The document also discusses benefits of SoftServe's internal security testing versus outsourcing to third parties, like catching problems earlier and improving a development team's security expertise.
Next generation software testing trendsArun Kulkarni
Over 2/3rd of software development projects using agile method to deliver software quickly. As software releases become more frequent, testing processes have to keep pace and adopt continuous QA.
AppSec How-To: Achieving Security in DevOpsCheckmarx
How do you integrate security within a Continuous Deployment (CD) environment, where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Find out in this Checkmarx How-To Paper.
7 measures to overcome cyber attacks of web applicationTestingXperts
In recent years, the cyber-attacks have become rampant across computer systems, networks, websites and have been most widely attacking enterprises’ core business web applications, causing shock waves across the IT world.It is critical to follow a cyber-security incident response plan and risk management plan to overcome cyber threats and vulnerabilities. Evidently, CXOs need to leverage web application security testing and penetration testing to overcome the possible attacks on their business applications and systems
The document discusses an application security platform that provides end-to-end security across web, mobile, and legacy applications. It utilizes multiple techniques like static analysis, dynamic analysis, software composition analysis, and web perimeter monitoring to identify vulnerabilities. The platform was designed for scale as a cloud-based service to securely manage global application infrastructures. It implements structured governance programs backed by security experts to help enterprises reduce risks across their software supply chains.
This document discusses how continuous delivery of software is putting pressure on security teams to keep up with frequent releases. It describes how leading companies are using Fortify's application security solutions to scan more applications faster, better prioritize issues, and integrate security testing throughout development. By shifting security left to earlier phases, these companies find and fix vulnerabilities sooner, reducing remediation time and allowing for faster software delivery cycles to support business needs. The document surveys software security operations at several large financial, energy, and technology companies to evaluate how Fortify helps with scan setup, performance, triaging, remediation, and scalability.
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
HP Protect 2015 Presentation with Denim Group's John Dickson and HP's Bruce Jenkins - Software security historically has been a bolt-on afterthought, frequently a "nice to do" and not a "must do" activity in many organizations. Despite the obvious need to build security in from the outset, organizations continue to struggle to gain momentum and focus resources in support of a structured and measurable software security assurance program. How can organizations determine the best-fit activities and appropriate resource allocation levels to adequately address software risk? How can security leaders know what other organizations are doing to produce more secure software? This session provides an overview of the Open Software Assurance Maturity Model (OpenSAMM) framework and illustrates how organizations can use it to give their security program the edge necessary to stay competitive in today's DevOps world and need-for-speed go-to-market strategies. The session includes case studies on how organizations are using comparative data and OpenSAMM benchmarking to realize measurable software security improvement.
Originally shared here - https://sessioncatalog.hpglobalevents.com/go/agendabuilder.sessions/?l=19&sid=4026_2744&locale=en_US
5 Challenges of Moving Applications to the CloudtCell
As businesses take the next step in transforming their organization, many struggle to handle the hurdles that come with migrating their applications to the cloud. The major issue when moving applications to the cloud is security. It seems the greatest value of what makes the cloud so attractive to app development is also what makes it so difficult to secure.
Here are 5 main problems when migrating apps to the cloud...
Selecting an App Security Testing Partner: An eGuideHCLSoftware
In the age of digital transformation, global businesses leverage web application scanning tools to shape innovative employee cultures, business processes, and customer experiences. The surge in remote work, cloud computing, and online services unveils unprecedented vulnerabilities and threats.
Learn more: https://hclsw.co/ftpwvz
Procuring an Application Security Testing PartnerHCLSoftware
Procuring an Application Security Testing Partner is crucial for safeguarding digital assets. An Application Security Testing Partner specializes in conducting comprehensive assessments using keywords like vulnerability scanning, penetration testing, code review, and threat modeling. Their expertise ensures your applications are fortified against cyber threats, providing peace of mind in an increasingly interconnected digital landscape.
Learn More: https://hclsw.co/ftpwvz
José Vila - ¿Otro parche más? No, por favor. [rooted2018]RootedCON
Sigue siendo una tendencia mayoritaria en el ámbito del desarrollo de software que el analizar la seguridad del producto se postergue a las últimas etapas del proceso. Uno de los motivos suele ser el impacto económico de contar con un ciclo seguro de desarrollo, pesa demasiado al inicio del proyecto y por tanto se descarta tener una metodología integrada durante todo el proceso.
Este planteamiento se está volviendo cada vez más en contra de los desarrolladores y demás actores implicados. Una vez lanzado el producto al mercado, acaban teniendo que invertir recursos inesperados por culpa de problemas de seguridad. Parches, hotfixes, actualizaciones… se convierten en la solución monótona que, lo que consigue es acabar dificultando la usabilidad del producto. Seguro que a todos se nos vienen nombres a la cabeza.
El propósito de esta presentación es el exponer la necesidad de integrar metodologías de seguridad desde las etapas más tempranas del ciclo de vida de sus productos, los beneficios de tener presente el desarrollo seguro de productos y mostrar buenas practicas que favorecen a la mejora de la seguridad de los productos, generando software de mayor calidad.
Y si esto ya te lo han contado en otra CON… ¿por qué no lo estás poniendo en práctica?
Similar to IBM Rational AppScan Product Overview (20)
In this session we will explore how Cloud Native technologies require us to re-think the way businesses create and scale modern digital solutions. We will explore the trends that are driving the adoption of these technologies and the key use cases for their application. Most importantly, we will uncover the business problems that these technologies are most effective at solving. While many tools exist for Containers, Microservices Architecture, DevOps, and Continuous Delivery processes involved in Cloud Native development, we aim to provide best practices and guidance on how to approach these business problems when solutioning using the Microsoft Azure platform.
American Marketing Association, Legendary Leadership Series: Think like a sof...Ashish Patel
Software has been eating the world for more than a decade.
And it has been transforming new business models through platforms and ecosystems that leverage data
It’s important to think deeply about what your company does today, what is its mission?
• Are you a car maker? Are you a service provider of financial services?
• Now I challenge you to re-think that.
o If you are a car maker today; what are the possibilities if you thought of yourself as a software company that happens to make cars?
o Or a software company that happens to offer financial services?
We will explore how to Think like a Software Company on October 16th, see you there!
Join Tony Chapman and I as we host the legendary leadership series
Digital Transformation: Embracing a Growth MindsetAshish Patel
Transformation is driving innovation in mindset, business processes and models along with the associated technology to support initiatives. The typical "we've always done it this way“ approach simply no longer cuts it in the increasingly competitive digital age. The best run companies are aware of this and leverage old and new technology to create innovative products and services, gain competitive advantage and enhance customer interaction, all while ultimately improving the bottom line. However, with a reported 80% of IT budgets being spent to maintain existing legacy systems - leaving little to no money for new technologies - it leaves IT and Line of Business executives with a conundrum of introducing new systems without disrupting existing, trusted legacies... so how do we make a digital transformation successful? Come learn from one in flight.
Can your business survive the next disaster?Ashish Patel
Did you know that 40% of businesses do not re-open after a disaster? Or that it could cost an organization up to $600,000 per hour during a disaster scenario? In today’s “always on” world, businesses must continue to operate no matter what, which means that critical IT infrastructure must be available 24/7/365. In this session we will learn more about a holistic approach towards business continuity & IT resiliency and how organizations can achieve high levels of availability. We will also go over each stage of the business continuity lifecycle and talk about the importance of managed services, key processes and technologies that must be considered for a comprehensive Business Continuity & Resiliency plan.
Where in the world is your Corporate data?Ashish Patel
Your employees – and your company data – are on the go every day. As a result, your employees are relying on the use of 3rd party online services without IT approval – that is Shadow IT in your own organization. That’s some risky business. Where in the world is your Corporate Data?
With TeraGo Cloud Drive we are giving you back control of your most valuable asset, your data.
In this webinar you will learn about:
How Shadow IT is picking up velocity due to the accessibility and ease of cloud applications
Consequences of weak corporate security mechanisms
How to give your IT department control of your data and its’ security
This document discusses DevOps and its challenges in the enterprise. It identifies 5 common pitfalls that enterprises face when adopting DevOps: 1) lack of understanding of DevOps terminology, 2) balancing development and operations interests and accountability, 3) establishing the correct culture, 4) finding champions for buy-in, and 5) justifying DevOps to the business. It then provides recommendations for addressing these challenges, such as focusing on customer experience, using cloud services to improve processes, and establishing metrics to measure DevOps success.
IBM Cloud OpenStack Services provides a managed private cloud built on OpenStack that offers flexibility, scalability, and security. Key benefits include predictable pricing with monthly subscriptions to scale resources up or down, as well as dedicated infrastructure to avoid noisy neighbors. IBM manages the OpenStack management systems, network gateways, compute, and storage hardware to deliver a turnkey private cloud solution.
IBM Corporate Services Corps - Experience in MalaysiaAshish Patel
The document summarizes IBM's Corporate Service Corps program, which sends IBM employees to work on projects in developing countries similar to the Peace Corps. It describes a team of IBMers who worked in Malaysia on projects with two organizations: the Spastic Children's Association of Johor and the Handicapped and Mentally Disabled Children's Association Johor. The team helped develop strategies for improving computer education and marketing/fundraising capabilities at the respective organizations over the course of 4 weeks.
This document discusses security challenges and solutions related to cloud computing. It begins by outlining common business and IT challenges, then defines cloud computing and reviews security concerns such as data privacy, reliability, and loss of control. The document proposes that identity and access management, data security, and regulatory compliance are top security risks for cloud computing. It presents IBM solutions for privileged user access control, identity federation, and application isolation that aim to address these risks.
Application Response Measurement (ARM) based Monitoring for EclipseAshish Patel
This document discusses ARM-based performance monitoring for the Eclipse platform. It provides an overview of Eclipse and the Test and Performance Tools Project (TPTP). It describes how Application Response Measurement (ARM) is used to measure transaction response times across distributed systems. The architecture inserts ARM instrumentation into applications using bytecode instrumentation or aspects. A demonstration is provided and future enhancements are discussed, such as supporting more application types and platforms. Instructions for getting started with the ARM monitoring capabilities in Eclipse are also included.
IBM Performance Optimizaiton Toolkit for Rational Performance TesterAshish Patel
The document summarizes an IBM conference session about the IBM Performance Optimization Toolkit (IPOT) for identifying performance problems. IPOT integrates with IBM Rational tools to monitor applications during development, testing and production. It collects resource and transaction data to help correlate problems and determine their root cause. The session agenda included an IPOT overview, examples of using it to analyze issues, and a demo.
IBM Performance Optimizaiton Toolkit for Rational Application DeveloperAshish Patel
This document summarizes an IBM conference session about the IBM Performance Optimization Toolkit (IPOT) for optimizing application performance. IPOT allows developers, testers and support teams to monitor applications in real-time, integrate performance data with development tools, and help determine the root cause of performance issues. The session agenda included an IPOT overview, examples of profiling applications and monitoring resources and logs, and a demo.
Using and Extending the Eclipse Test and Performance Tools Platform (TPTP) fo...Ashish Patel
The document discusses using the Eclipse Test and Performance Tools Platform (TPTP) for data collection in self-healing systems. TPTP provides a framework and tools for collecting log and trace data from different systems through common interfaces. It defines common data models and agents that can collect log, trace, and statistical data. The collected data is normalized and can then be analyzed to help identify problems and enable self-healing capabilities through correlation of events.
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Introducing BoxLang : A new JVM language for productivity and modularity!Ortus Solutions, Corp
Just like life, our code must adapt to the ever changing world we live in. From one day coding for the web, to the next for our tablets or APIs or for running serverless applications. Multi-runtime development is the future of coding, the future is to be dynamic. Let us introduce you to BoxLang.
Dynamic. Modular. Productive.
BoxLang redefines development with its dynamic nature, empowering developers to craft expressive and functional code effortlessly. Its modular architecture prioritizes flexibility, allowing for seamless integration into existing ecosystems.
Interoperability at its Core
With 100% interoperability with Java, BoxLang seamlessly bridges the gap between traditional and modern development paradigms, unlocking new possibilities for innovation and collaboration.
Multi-Runtime
From the tiny 2m operating system binary to running on our pure Java web server, CommandBox, Jakarta EE, AWS Lambda, Microsoft Functions, Web Assembly, Android and more. BoxLang has been designed to enhance and adapt according to it's runnable runtime.
The Fusion of Modernity and Tradition
Experience the fusion of modern features inspired by CFML, Node, Ruby, Kotlin, Java, and Clojure, combined with the familiarity of Java bytecode compilation, making BoxLang a language of choice for forward-thinking developers.
Empowering Transition with Transpiler Support
Transitioning from CFML to BoxLang is seamless with our JIT transpiler, facilitating smooth migration and preserving existing code investments.
Unlocking Creativity with IDE Tools
Unleash your creativity with powerful IDE tools tailored for BoxLang, providing an intuitive development experience and streamlining your workflow. Join us as we embark on a journey to redefine JVM development. Welcome to the era of BoxLang.
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving
What began over 115 years ago as a supplier of precision gauges to the automotive industry has evolved into being an industry leader in the manufacture of product branding, automotive cockpit trim and decorative appliance trim. Value-added services include in-house Design, Engineering, Program Management, Test Lab and Tool Shops.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfleebarnesutopia
So… you want to become a Test Automation Engineer (or hire and develop one)? While there’s quite a bit of information available about important technical and tool skills to master, there’s not enough discussion around the path to becoming an effective Test Automation Engineer that knows how to add VALUE. In my experience this had led to a proliferation of engineers who are proficient with tools and building frameworks but have skill and knowledge gaps, especially in software testing, that reduce the value they deliver with test automation.
In this talk, Lee will share his lessons learned from over 30 years of working with, and mentoring, hundreds of Test Automation Engineers. Whether you’re looking to get started in test automation or just want to improve your trade, this talk will give you a solid foundation and roadmap for ensuring your test automation efforts continuously add value. This talk is equally valuable for both aspiring Test Automation Engineers and those managing them! All attendees will take away a set of key foundational knowledge and a high-level learning path for leveling up test automation skills and ensuring they add value to their organizations.
What is an RPA CoE? Session 2 – CoE RolesDianaGray10
In this session, we will review the players involved in the CoE and how each role impacts opportunities.
Topics covered:
• What roles are essential?
• What place in the automation journey does each role play?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsScyllaDB
ScyllaDB monitoring provides a lot of useful information. But sometimes it’s not easy to find the root of the problem if something is wrong or even estimate the remaining capacity by the load on the cluster. This talk shares our team's practical tips on: 1) How to find the root of the problem by metrics if ScyllaDB is slow 2) How to interpret the load and plan capacity for the future 3) Compaction strategies and how to choose the right one 4) Important metrics which aren’t available in the default monitoring setup.
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...AlexanderRichford
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation Functions to Prevent Interaction with Malicious QR Codes.
Aim of the Study: The goal of this research was to develop a robust hybrid approach for identifying malicious and insecure URLs derived from QR codes, ensuring safe interactions.
This is achieved through:
Machine Learning Model: Predicts the likelihood of a URL being malicious.
Security Validation Functions: Ensures the derived URL has a valid certificate and proper URL format.
This innovative blend of technology aims to enhance cybersecurity measures and protect users from potential threats hidden within QR codes 🖥 🔒
This study was my first introduction to using ML which has shown me the immense potential of ML in creating more secure digital environments!
Discover the Unseen: Tailored Recommendation of Unwatched ContentScyllaDB
The session shares how JioCinema approaches ""watch discounting."" This capability ensures that if a user watched a certain amount of a show/movie, the platform no longer recommends that particular content to the user. Flawless operation of this feature promotes the discover of new content, improving the overall user experience.
JioCinema is an Indian over-the-top media streaming service owned by Viacom18.
2. IBM Software Group | Rational software
Executive Summary
Application security continues to be a top security threat
Regulatory Compliance (PCI), user demand (Web 2.0) and Enterprise Modernization
(SOA) are driving awareness and action for security testing
The cost and lack of coverage of reactive security is driving companies towards proactive
measures – building security into the application development process
Traditional approaches make it unlikely that development will support security testing due
to schedule risks and potential project failure
Cost /
Complexity
Security
Team
Operations /
Infrastructure
Time
IBM Rational is announcing a new innovative
approach for integrating security testing into
application development providing the most
accurate and easy to use solution for non-
security professionals
3. IBM Software Group | Rational software
Evolving Threats to Your Applications
4. IBM Software Group | Rational software
Market Overview
Web Application Security Buyers/Users
Web Application Security being addressed in
three ways
Mainstream adoption happening beyond lead
sectors (FinServ / Technology / Government)
Vendors are ahead of market adoption
Development may have more adoption momentum
than QA
Security Team (90%) / Development Organization
(10%)
Security Team (40%) / Development Organization
(10%) / Outsourcing (50%)
eCommerce (PCI), State/Local, Universities & SMB
(risk awareness) growing presence
R&D investment focused on solutions for development
& QA adoption, <10% of buyers (large customer
projects)
All projects still owned by Security & majority of
opportunities are security only (ie. Emerging SMB)
Driven by natural fit of code analysis security testing
with the developer use case
Requires that offerings align code analysis with
development requirements, not security
requirements
5. IBM Software Group | Rational software
Current Market Drivers
Increase in vulnerabilities / disclosures
Application security has become the top threat
Regulatory Compliance
Requirements such as PCI, HIPAA, GLBA, etc
User demand
For rich applications is pushing development to
advanced code techniques – Web 2.0 introducing more
risks to threats
Enterprise Modernization
Driving traditional applications to online world (SOA),
increasing corporate risk
Cost cutting in current economic climate
Demands increased efficiencies
Source: IBM ISS
Threat Report
LexisNexis
Data Breach
-Washington Post
Feb 17, 2008
IndiaTimes.com
Malware
—InformationWeek
Feb 17,2008
Hacker breaks into
Ecuador’s
presidential website
— Thaindian, Feb 11, 2008
6. IBM Software Group | Rational software
Expensive
Low Productivity
Error Prone
Inconsistent
Resource intensive
Manual Governance
Efficient/Cheaper
High Productivity
High Quality
Consistent/Repeatable
Self Documenting
Automated Governance
Manual Assembly Line Automated
Evolution of the Software Factory
IBM Rational AppScan
7. IBM Software Group | Rational software
What is the cost of a defect?
During the
coding phase
$25/defect
During the build
phase
$100/defect
Once released as
a product
$16,000/defect
During the
QA/Testing phase
$450/defect
The increasing costs of fixing a defect….
80% of development costs are spent
identifying and correcting defects!
8. IBM Software Group | Rational software
Embed security testing
into the development
environment and workflow
Seamlessly add security
testing alongside functional
& performance testing
Dashboard provides filtered
relevant data for more
informed decision-making
Full traceability for security
issue prioritization
CISO
Tester
Developer
Build
Manager
QA
Manager
Automated security tests
embedded into the build
process
All test assets and results
in one repository
Quality process
enactmentRational AppScan
Rational AppScan Developer & Build Editions raise the industry bar
Delivering security-focused solutions across the development lifecycle
9. IBM Software Group | Rational software
Enabling the Operationalization of Security Testing
Enable the Security
Testing Organization
Rational AppScan Express Edition
Rational AppScan Standard Edition
Rational AppScan Enterprise Edition
Requires web application security
subject matter expertise
Single-step security testing (no
additional oversight required as
expertise is built-in)
Eliminates training requirements
for non-security experts
Control, Monitor, Collaborate and Report Web Application Security Testing
Embed Security
Testing in the SDLC
Rational AppScan Developer Edition
Rational AppScan Build Edition
Rational AppScan Tester Edition
Rational AppScan Standard Edition
Rational AppScan Reporting Console
Implement environment-specific security
testing solution for select stakeholders
Alleviates security testing bottleneck
downstream
Increases security awareness across the
organization (code security improvement,
vulnerability awareness)
Enables a more efficient process for on-
time and on-budget application
development
Outsource Security
Testing
Rational AppScan OnDemand
Rational AppScan Security Consulting
Outsource web application security
infrastructure or testing
Enables immediate identification
for sources of online risk without
the necessary time and investment
for in-house training and resources
Customers are addressing Web Application Security in three ways:
10. IBM Software Group | Rational software
Embedding Security in the Development Lifecycle
Primary goals for Web Application Security
1. Manage Online risk with security audits
2. Realize process efficiencies with testing coverage
occurring early in the development lifecycle
Security Auditors Challenge
Accountable for managing organizational risk through on-line activity
Limited resources (by budget or skillset) to provide timely security
testing coverage
The result is a bottleneck that impacts development release cycles
The Solution
Engage more testers earlier in the development lifecycle
Emerging focus
11. IBM Software Group | Rational software
Security tools are being pitched to developers
Security tools require security expertise and don’t address the developer use case
Lack necessary process integration to enable success
Current static analysis suffers from accuracy and efficiency shortcomings
Creating doubt and pushback from development organizations
No solution provides viable mix of blackbox & whitebox technology
High cost of static analysis-only offerings
High cost yet still incomplete solutions
Lack of training
Developers are not mandated or motivated to train on secure code practices
Priority remains on building functionality
Current Static analysis offerings are lacking
12. IBM Software Group | Rational software
Challenge: Building software securely from the ground up
Security Auditors need to enable more testers in the process, but software developers are
not trained to be security experts, nor can they meet new development demands
Niche security testing teams have been performing audits before code can pass to production
These teams cannot keep up with the demand from hundreds of developers pushing new applications
frequently > as a result software releases are delayed or risk is introduced
Need to engage more testers earlier in the process
Need to make it simple for non-security professionals
How do we get more resources to provide
more security testing for our applications
How do we make it easier
to identify security vulnerabilities?
How can I ensure our developers are
implementing our corporate policies?
Development does not like us halting releases due
to security issues. How can I give them back control?
13. IBM Software Group | Rational software
Solution: Utilize offerings designed for the development environment to
identify and fix security issues early in the development process, and turn
the security audit into the final check, not the first step
Rational AppScan Developer Edition & AppScan Build Edition provide
security and compliance checks
Combination of Static Code Analysis and Dynamic Analysis provide non-security
professionals in development the ability to accurately check for security defects in code
Designed for the developers uses case to seamlessly fit security testing into the
development workflow
AppScan Build Edition embeds automated security testing into the build process
Provides remediation advice to simplify ability to fix security issues
High accuracy security issue identification that developers can understand and fix
Includes embedded security issue training
Bite-sized training modules allow developers to quickly understand
the security issue and make appropriate fix
Facilitates non-disruptive adoption of security testing solutions to improve application
IBM Rational AppScan Developer Edition
IBM Rational AppScan Build Edition
14. IBM Software Group | Rational software
Expertise: Development is not focused on or trained to address security issues. Not having security expertise makes the development
adoption of security testing a challenge. For development to be effective solutions must be designed for and for non-security professionals
and fit the developers use case, thereby improving accuracy and efficiency and avoiding disruption.
Cost/time: The push to move more business services online places greater demand on limited
security testing resources to achieve testing coverage. Tools that naturally fit into the development process provide lifecycle
efficiencies as security issues are now identified and addressed much earlier in the process.
Compliance: Embedding security testing into development processes and systems supports the same governance
requirements inherent in development & testing organizations, but the added risk of a security vulnerabilities demands
stringent governance processes to log, track & ensure remediation of identified security issues.
Bottom line – Development adoption of
security testing results in more secure
software with on-time release schedules
Development is critical to the security challenge
Easing the security bottleneck can only be achieved by engaging more resources
15. IBM Software Group | Rational software
Addressing organizational security testing requirements
Enable more testers in the process to alleviate the security bottleneck
Powered by automation
Collaborative life cycle
Govern software delivery
Development & Security Analysts collaborate to achieve
greater testing coverage earlier in the development process.
Automate security testing as part of the normal code-build
process within existing development environments,
eliminating the need for non-security personnel to learn new
or advanced security tools
Govern the process of issue remediation by providing the
ability to log security issues directly into defect tracking tools
Rational AppScan Developer Edition & AppScan Build Edition
can be embedded into the development process
17. IBM Software Group | Rational software
Rational AppScan Developer Edition and Build Edition Themes
Designed for Developers, not Security Auditors
Self-Serve – No Security Expertise Required
Natural fit into the Development Lifecycle Process
& Tools
Best Web Application Security Analysis
Total PotentialTotal Potential
Security IssuesSecurity Issues
DynamicDynamic
AnalysisAnalysis
StaticStatic
AnalysisAnalysis
RuntimeRuntime
AnalysisAnalysis
Enable more people to contribute to security testing
coverage with solutions for specific use cases
Use case offerings facilitate the adoption of security
with minimal disruption to existing objectives
Business Outcome
18. IBM Software Group | Rational software
Analysis Techniques Used
Static Code Analysis <> Whitebox
- Looking at the code for issues (code-
level scanning)
Dynamic Analysis <> Blackbox
- Sending tests to a functioning
application
String Analysis
- IBM patent pending code analysis
technique
- Code analysis version of “Scan Expert”
for efficient configuration of scan to
enable accurate results
Composite Analysis
- Blend of all testing techniques for
improved accuracy of reporting
- Leverage strengths and overcomes
weaknesses of each individual
technique
Runtime Analysis
- Monitoring behavior for feedback while
application is running at a detailed level
to tell where a vulnerability exists in the
execution code
19. IBM Software Group | Rational software
Accuracy
Source free
Code coverage
HTTP awareness only
Multi components support
Requires deployed application
Code/path coverage
Limited to given code
More than HTTP validations
Support partial applications
Support per language/framework
No need to deploy application
Black Box White BoxAppScan DE
Few Prerequisites Over approximation
Works as a remote attacker Integration/deployment issues
20. IBM Software Group | Rational software
String Analysis
IBM patent-pending technology
Potentially game-changing technology in code-analysis
Existing white-box offerings use Taint Analysis
Requires configuration, dependent on both knowledge of code & security expertise to be
done accurately
Inaccurate configuration results in volumes of false positives
String Analysis automates configuration
Removes largest driver of inaccurate results of static code analysis
Simplifies use for developers (for non-security experts)
Taint analysis measures whether an input is tainted, string analysis can determine
exactly how it is tainted
21. IBM Software Group | Rational software
String Analysis vs. Taint Analysis
Taint Analysis String Analysis
Configuration Users must spend a long time
configuring sanitizers
Accurate out-of-the-box:
No need to define what the sanitizers are
Configuration
Validation
The entire analysis is based on
correct user configuration
String Analysis can validate the
correctness of user-defined sanitizers
Inline sanitizers No support; Users have to
change their code to scan it. Supports
Validators No support; Users have to
change their code to scan it. Supports
Result confidence
Many “low confidence” results
that require security professionals
to verify
“Self-serve” solution underlines high
confidence results; developer can trust
results to be real
Advanced Restricted to identify taint only Allows improved and accurate analysis
to pin point specific issues
22. IBM Software Group | Rational software
Why Buy…
Broadest suite of offerings to
support security testing across the
development lifecycle
Only web application security
testing solution to provide combined
code, dynamic, runtime and string
analysis
Broadest set of security compliance
reporting
Integration with Rational portfolio
allowing security to become a
natural part of the software
development process
R&D backed by IBM’s $1.5B annual
investment in security
Designed for Developers, not Auditors
Designed for developer efficiency & addresses non-security
expertise
Enable both centralized and broad security testing (“Test
before check in” model)
Best Application Security Analysis
Includes multiple analysis techniques - leverages strengths of
all techniques & overcomes weaknesses
Emphasis on Accuracy (low FP) & Actionable Results
Self-Serve Security Testing for Developers
Detailed results include all you need to know
Remediation view turns risk into tasks
Detailed Fix Recommendations clarify required actions
Built-in & accompanying training supports self-serve
Naturally fits into the SDLC process
Minimize disruption
Scale to large number of users
Support collaboration within development
Integrate with development tools
…IBM? …Ratl AppScan Developer Edition?
23. IBM Software Group | Rational software
Highlights
What is AppScan Developer Edition?
A solution created to empower developers with the ability to
invoke Web application security testing within their
development environment
Designed as a complement to the Rational AppScan family of
security testing solutions, it enables the development
organization to address the volumes of security issues that can
be introduced in code.
Supports existing developer and build environment use cases
for efficient and non-disruptive adoption of security testing with
IDE & build server integrations
What does it do?
Provides security and compliance checks using static code
analysis for security vulnerabilities,
Enables developers (who are not security experts) address
security defects early in development process where the cost of
fixing issues is least expensive
Comprehensive Security Analysis
Next-Generation Accuracy
Unparalleled Ease of Use
Identification of line-of-code
Self-Serve Security Testing for
Developers
Seamless Integration into the
Development Process
Complete the Rational AppScan
End-to-End security solution
Overview
24. IBM Software Group | Rational software
What is AppScan Build Edition?
A solution created to embed automated Web application
security into the build process
Designed as a complement to the Rational AppScan family of
security testing solutions, it enables the development
organization to address the volumes of security issues that can
be introduced in code.
Supports existing developer and build environment use cases
for efficient and non-disruptive adoption of security testing with
IDE & build server integrations
What does it do?
Allow scans from AppScan Standard Edition or AppScan
Developer Ed to be processed in a non-UI / scriptable mode
Provides simple/generic command line support for integration
into most build environments, with an additional adaptor for
BuildForge
Automated Security Testing in the
Development Process
Comprehensive Security Analysis
Next-Generation Accuracy
Code Coverage
Identification of line-of-code
Seamless Integration into the
Development Process
Complete the Rational AppScan
End-to-End security solution
Overview
Highlights
25. IBM Software Group | Rational software
BuildCode SecurityQA
AppScan
Standard Ed
(desktop)
Typical Customer Adoption To Date
AppScan
Enterprise user
(web client)
IBM Rational Web Based Training for AppScan
IBM Rational AppScan Enterprise / Reporting Console
Automate Security /
Compliance testing in
the Build Process
Build security testing
into the IDE
Security / compliance testing
incorporated into testing &
remediation workflows
Security and Compliance
Testing, oversight, control,
policy, in-depth tests
Market Maturity
26. IBM Software Group | Rational software
Rational
BuildForge
Rational Quality
Manager
Rational
Application
Developer
Rational
Software
Analyzer
Rational
ClearCase
Rational ClearQuest / Defect Management
AppScan
Standard Ed
(desktop)
IBM Rational AppScan Ecosystem
AppScan
Enterprise user
(web client)
AppScan Build Ed
(scanning agent)
IBM Rational Web Based Training for AppScan
AppScan Express
(desktop)
AppScan
Developer Ed
(desktop)
AppScan Ent.
QuickScan
(web client) AppScan Tester Ed
(scanning agent)
(QA clients)
AppScan Enterprise / Reporting ConsoleAppScan Enterprise / Reporting Console
CODE
Build security testing into the
IDE*
BUILD
Automate Security / Compliance
testing in the Build Process
QA
Security / compliance testing
incorporated into testing &
remediation workflows
SECURITY
Security & Compliance Testing,
oversight, control, policy, audits
27. IBM Software Group | Rational software
AppScan
Standard Ed
(desktop)
The New IBM Rational AppScan Ecosystem
AppScan
Enterprise user
(web client)
AppScan Build Ed
(scanning agent)
IBM Rational Web Based Training for AppScan
AppScan Express
(desktop)
AppScan
Developer Ed
(desktop)
AppScan Ent.
QuickScan
(web client) AppScan Tester Ed
(scanning agent)
(QA clients)
Rational
BuildForge
Rational Quality
Manager
Rational
Application
Developer
Rational
Software
Analyzer
Rational
ClearCase
Rational ClearQuest / Defect Management
AppScan Enterprise / Reporting ConsoleAppScan Enterprise / Reporting Console
Code
Build security testing into the
IDE*
Build
Automate Security / Compliance
testing in the Build Process
QA
Security / compliance testing
incorporated into testing &
remediation workflows
Security
Security & Compliance Testing,
oversight, control, policy, audits
28. IBM Software Group | Rational software
AppScan Developer Edition - Proactive Use Case
1. Developer Writes Code
2. Developer Tests Changes
Using AppScan DE
3. Developer Fixes or Logs Issues
4. Developer Checks in Code
29. IBM Software Group | Rational software
AppScan Build Edition Use Case
1. Build System compiles code
2. AppScan Static Analysis Invoked
3. Application auto-deployed
4. AppScan Dynamic Analysis Invoked
5. Found issues logged
30. IBM Software Group | Rational software
AppScan Developer Edition - Reactive Use-Case
1. Developer receives Defect *
(preferably with scan file)
2. Developer loads scan or
reproduces issue using AppScan DE
3. Developer Fixes Issue In Code
4. Developer Re-Tests using AppScan Dev Ed
5. Developer checks in fix and updates defect
* Defect originating from
other developer, QA or
Build System
31. IBM Software Group | Rational software
Rational AppScan Value Propositions
Customer Pain:
Client has acquired a web application testing
desktop point product being run by a security
auditor.
Limited licenses or resources performing the
testing have created a bottleneck by the security
team, and it is impeding the deployment of
applications.
Value for Customer
IBM Rational AppScan portfolio of web
application security testing solutions enables
software development stakeholders from
development, build management and QA to share
in the security testing responsibility and alleviated
the resource limitations of the security team.
Unlike
Competition who are lacking IBM’s investment in
security which allows IBM to lead with the
broadest and most advanced security testing and
lack the customer experience to enable customer
success
Customer Pain:
Client needs the development organization to
address the process inefficiencies and project
delays resulting from security testing bottleneck
occurring late in the development process.
Value for Customer
IBM Rational AppScan Developer Ed and
Rational AppScan Build Ed provide security
testing solutions that are designed for
development use cases to enable security testing
for non-security experts
The offerings allow for the identification and
remediation of security issues much earlier in the
development process, resulting in a more efficient
process and projects delivered on time.
Unlike
Competition who are lacking breadth and strength
of testing techniques to provide the necessary
efficiencies and accuracy for development to be
successful with security testing
For Security Team For Development
42. IBM Software Group | Rational software
Rational Software
Analyzer Integration
(adding Quality-related
Static Analysis)
Editor's Notes
Overview
To be competitive in today’s fast-paced business environment requires increased visibility and automation of governance and compliance measures. As software has become the driving force behind innovation, customers are focusing on improving and automating quality and security earlier in the software delivery lifecycle. The addition of Rational Software Analyzer to Rational’s quality management capabilities provides a centralized, extensible foundation for static analysis driving increased quality and reduced risk.
Centralized quality automation simplifies software delivery processes decreasing overhead and increasing software reliability
An extensible foundation enables inclusion of rules such as security, compliance, and intellectual property vulnerabilities increasing team responsiveness to business priorities
Powerful reporting features increase project visibility and support enforcement of corporate IT governance and compliance directives
NEW!
Rational Software Analyzer Available 4/29/08
Rational AppScan Developer Edition Beta Available 5/26/08
The National Institute of Standards and Technology (NIST) reports that “…80% of development costs [are spent] on identifying and correcting defects
The ‘Cost of Defect’ figures from Caper Jones (Applied Software Measurement, 1996):
At coding time - $25/defect
At build time - $100/defect
At QA - $450/defect
At field level - $16,000/defect
Here’s how we’re raising the quality bar and delivering innovation and value to our customers with RQM: how we’re bringing new differentiators to this space not delivered before…
(HP does not have ALM integration)
(HP lags with requirements integration)
Improved efficiency, utilization, and quality of test lab operations. (Unique market differentiator)
Test Case Prioritization (Unique market differentiator)
Real-time detection of defects and test case prioritization for resolution
Remote launch and control of integrated point products (Unique market differentiator)
(HP is closed - each vendor needs special arrangement to exchange data)
Pattern analysis and recognition (unique market differentiator) ??
Klockwork coming from quality with limited security expertise
Cenzic struggling & limited to blackkbox solution
This leaves Fortify & HP/SPI
Fortify is lacking the blackbox capability to compliment whitebox offerings for a complete & cost viable solution
HP/SPI has a credible blackbox offering, but a deficient whitebox offering leaving a poor hybrid solution
Rational AppScan Developer Edition provides security and compliance checks alongside of Rational Software Analyzer
Combines static analysis providing non-security professionals the ability to check for security defects in web applications
Ability to execute multiple scan rules and tools from a common framework increases productivity
Provides remediation advice to facilitate developer efforts to fix security issues efficiently
Developer Essentials test policy provides high accuracy issue identification for security issues that developers can understand and fix efficiently
Includes embedded security issue training
Bit-sized training modules allow developers to quickly understand the security issue and make the appropriate fix
Facilitates non-disruptive adoption of security testing solutions to improve application
If team is not collaborating what happens?
If team is not leveraging automation, what is the impact?
If team does not have appropriate level of governance, what happens?
Overview
To be competitive in today’s fast-paced business environment requires increased visibility and automation of governance and compliance measures. As software has become the driving force behind innovation, customers are focusing on improving and automating quality and security earlier in the software delivery lifecycle. The addition of Rational Software Analyzer to Rational’s quality management capabilities provides a centralized, extensible foundation for static analysis driving increased quality and reduced risk.
Centralized quality automation simplifies software delivery processes decreasing overhead and increasing software reliability
An extensible foundation enables inclusion of rules such as security, compliance, and intellectual property vulnerabilities increasing team responsiveness to business priorities
Powerful reporting features increase project visibility and support enforcement of corporate IT governance and compliance directives
NEW!
Rational Software Analyzer Available 4/29/08
Rational AppScan Developer Edition Beta Available 5/26/08
Designed for Developers, not Auditors
Support partially built applications
Manual Explore based scans on specific working flows
Static Analysis supports applications once they compile
Developers are not a gateway, and rather seek max efficiency
Prioritize quick results and ease of use over 100% coverage or extreme breadth of testing
Enable both centralized and broad security testing
Centralized scans in a build system or by team security leads
Broad testing by entire team - “Test before check in” model
Best Application Security Analysis
Includes Static, Dynamic & Runtime Analysis
Side-by-side, gain the strengths of all techniques
Uses Composite Analysis , merging the different ways
CA overcomes the weaknesses of each technique, such as:
Theoretical Static Analysis confirmed by Dynamic Analysis
Dynamic Analysis Coverage measured with Runtime Analysis
Extreme Emphasis on Accuracy & Actionable Results
Innovative Static String Analysis dramatically improves accuracy
Runtime Analysis maps Dynamic Analysis issues to code
Correlated Dynamic & Static results practically guaranteed
Self-Serve Security Testing for Developers
Detailed results include all you need to know
Comprehensive information about each security issue and its impact
Clear prioritization account for security risk and exploitability
Remediation view turns risk into tasks
Look at the problems from a development tasks perspective
Risk manifested in task priority
Detailed Fix Recommendations clarify needed action
Complete with platform-specific code examples
Retest capabilities enable verifying the fix works
Built in and accompanying training supports self-serve
Issue-specific flash-based training built into product
Product & Security Web-Based Training will be available at GA
Naturally fits into the SDLC process
Easily fit into the SDLC process - Minimize disruption
Fits common dev testing points (build or before check-in)
Uses dev concepts and terminology, not security ones
Scale to large number of users
Support centralized reporting & permissions through AppScan Enterprise or AppScan Reporting Console
Support collaboration within the development team
Share configuration, results and more
Integrate with development tools
IDE, Source Control, Build System, Defect Tracking system…
Comprehensive Security Analysis combining Dynamic, Static & Runtime Analysis, providing unmatched coverage of potential security issues for web applications
Next-Generation Accuracy with new patent-pending String Analysis, Developer Essentials test policy and the correlation of Static & Dynamic Analysis results all reducing the likelihood of false positives
Unparalleled Ease of Use with browsing based Dynamic Analysis and String Analysis enabling zero-configuration Static Analysis making efficient and accurate security testing possible for Developers
Identification of line-of-code location for Black-Box Issues - the Runtime-Analysis based Execution Flow provides textual and graphical insight, greatly simplifying the understanding and remediation of those issues.
Self-Serve Security Testing for Developers from built-in Flash-based training, accurate and prioritized results pointing straight to the line of code, and detailed remediation advice complete with code samples allow developers to be self-sufficient in their daily handling of web application security
Seamless Integration into the Development Process:
Specially designed for developer use case including deep integration with Rational Application Developer and Eclipse
Team collaboration through Rational ClearQuest and source-control systems
Complete the Rational AppScan End-to-End security solution enabling the security team to establish and control scanning permissions and policies and provide Security & QA teams with a way to pass reproducible security issues back to development for remediation and verification
Comprehensive Security Analysis combining Dynamic, Static & Runtime Analysis, providing unmatched coverage of potential security issues for web applications
Next-Generation Accuracy with new patent-pending String Analysis, Developer Essentials test policy and the correlation of Static & Dynamic Analysis results all reducing the likelihood of false positives
Unparalleled Ease of Use with browsing based Dynamic Analysis and String Analysis enabling zero-configuration Static Analysis making efficient and accurate security testing possible for Developers
Identification of line-of-code location for Black-Box Issues - the Runtime-Analysis based Execution Flow provides textual and graphical insight, greatly simplifying the understanding and remediation of those issues.
Self-Serve Security Testing for Developers from built-in Flash-based training, accurate and prioritized results pointing straight to the line of code, and detailed remediation advice complete with code samples allow developers to be self-sufficient in their daily handling of web application security
Seamless Integration into the Development Process:
Specially designed for developer use case including deep integration with Rational Application Developer and Eclipse
Team collaboration through Rational ClearQuest and source-control systems
Complete the Rational AppScan End-to-End security solution enabling the security team to establish and control scanning permissions and policies and provide Security & QA teams with a way to pass reproducible security issues back to development for remediation and verification
1. Security 2. Code 3. build 4. QA This represents our product suite – how we help clients get to the utopia which is testing throughout the entire SDLC. Taking security which usually resides in info sec or risk mgt and push it earlier. This is how we address it – start at the far right. This is where ownership usually falls. Should be on their heads if an issue occurs, they have final sign off. Desktop is the entry for many customers, but not all. Once you go beyond just sec and want to put controls in place and monitoring, ASE. See the web client for ASE – sec uses enterprise, ASE becomes the aggregation of all that info – central mgt and control. But depending on who you are and what your role is, we have different solutions to introduce sec so it’s the least intrusive as possible. Moving into QA, specifically built some funct into ASE which gives them capability to launch scans but not necessarily have the security background or knowledge. Setting up the scan can be a difficult process but to change that we have Quickscan…In addition to that, we have a Tester edition (for Quality Manager, comes out when QM is released). Tester ed – inside QM and QC, similar to DE but for those products – config and launching a scan from within those products. Create a new security test directly within that environment. Results will be accessible from within those tools, never need to get out of them. scans from within QC scheduled, in the future those scans will be run from ASE – so if they own ASE, the scan will run from ASE . Advantage – don’t have to have a locally installed version. Code – to get developers involved to perform tests – a few ways we can do it. One is with the brand new product DE – black and white testing and built into the IDE, gives you the ability to do the testing early in the code development. Does two tests to do both types of testing. Patented tech by ibm being embedded, string analysis, for watching the flow of informatio thru the application as you are testing it. Good analogy – putting dye in your blood and watching it. Understand where the problem is in the code to isolate it. Historically tricky to do but we found a way to do so, hence the patent. The other ASE quickscan. QS environmnet also built for that too – there may be instances when you don’t have access to source code – either not supported yet or a third party – portal deployment for QS. Build – automates tests as part of the building process, so let’s say getting ready to publish a new test version of an app – have build scripts that take all the code and deploy it. Sometimes have to start and stop the web servers or change registry settings (that’s what buildforge does) as part of the automated process and say once you’ve deployed that code, we’ll look at it and point out all the security defects. Could use quickscan but with the build edition, it’s all automated. Doesn’t require manual intervention. Build edition we think is being released at the same time as DE. Whenver security issues are found, can be pushed into defect management system.
1. Security 2. Code 3. build 4. QA This represents our product suite – how we help clients get to the utopia which is testing throughout the entire SDLC. Taking security which usually resides in info sec or risk mgt and push it earlier. This is how we address it – start at the far right. This is where ownership usually falls. Should be on their heads if an issue occurs, they have final sign off. Desktop is the entry for many customers, but not all. Once you go beyond just sec and want to put controls in place and monitoring, ASE. See the web client for ASE – sec uses enterprise, ASE becomes the aggregation of all that info – central mgt and control. But depending on who you are and what your role is, we have different solutions to introduce sec so it’s the least intrusive as possible. Moving into QA, specifically built some funct into ASE which gives them capability to launch scans but not necessarily have the security background or knowledge. Setting up the scan can be a difficult process but to change that we have Quickscan…In addition to that, we have a Tester edition (for Quality Manager, comes out when QM is released). Tester ed – inside QM and QC, similar to DE but for those products – config and launching a scan from within those products. Create a new security test directly within that environment. Results will be accessible from within those tools, never need to get out of them. scans from within QC scheduled, in the future those scans will be run from ASE – so if they own ASE, the scan will run from ASE . Advantage – don’t have to have a locally installed version. Code – to get developers involved to perform tests – a few ways we can do it. One is with the brand new product DE – black and white testing and built into the IDE, gives you the ability to do the testing early in the code development. Does two tests to do both types of testing. Patented tech by ibm being embedded, string analysis, for watching the flow of informatio thru the application as you are testing it. Good analogy – putting dye in your blood and watching it. Understand where the problem is in the code to isolate it. Historically tricky to do but we found a way to do so, hence the patent. The other ASE quickscan. QS environmnet also built for that too – there may be instances when you don’t have access to source code – either not supported yet or a third party – portal deployment for QS. Build – automates tests as part of the building process, so let’s say getting ready to publish a new test version of an app – have build scripts that take all the code and deploy it. Sometimes have to start and stop the web servers or change registry settings (that’s what buildforge does) as part of the automated process and say once you’ve deployed that code, we’ll look at it and point out all the security defects. Could use quickscan but with the build edition, it’s all automated. Doesn’t require manual intervention. Build edition we think is being released at the same time as DE. Whenver security issues are found, can be pushed into defect management system.
1. Security 2. Code 3. build 4. QA This represents our product suite – how we help clients get to the utopia which is testing throughout the entire SDLC. Taking security which usually resides in info sec or risk mgt and push it earlier. This is how we address it – start at the far right. This is where ownership usually falls. Should be on their heads if an issue occurs, they have final sign off. Desktop is the entry for many customers, but not all. Once you go beyond just sec and want to put controls in place and monitoring, ASE. See the web client for ASE – sec uses enterprise, ASE becomes the aggregation of all that info – central mgt and control. But depending on who you are and what your role is, we have different solutions to introduce sec so it’s the least intrusive as possible. Moving into QA, specifically built some funct into ASE which gives them capability to launch scans but not necessarily have the security background or knowledge. Setting up the scan can be a difficult process but to change that we have Quickscan…In addition to that, we have a Tester edition (for Quality Manager, comes out when QM is released). Tester ed – inside QM and QC, similar to DE but for those products – config and launching a scan from within those products. Create a new security test directly within that environment. Results will be accessible from within those tools, never need to get out of them. scans from within QC scheduled, in the future those scans will be run from ASE – so if they own ASE, the scan will run from ASE . Advantage – don’t have to have a locally installed version. Code – to get developers involved to perform tests – a few ways we can do it. One is with the brand new product DE – black and white testing and built into the IDE, gives you the ability to do the testing early in the code development. Does two tests to do both types of testing. Patented tech by ibm being embedded, string analysis, for watching the flow of informatio thru the application as you are testing it. Good analogy – putting dye in your blood and watching it. Understand where the problem is in the code to isolate it. Historically tricky to do but we found a way to do so, hence the patent. The other ASE quickscan. QS environmnet also built for that too – there may be instances when you don’t have access to source code – either not supported yet or a third party – portal deployment for QS. Build – automates tests as part of the building process, so let’s say getting ready to publish a new test version of an app – have build scripts that take all the code and deploy it. Sometimes have to start and stop the web servers or change registry settings (that’s what buildforge does) as part of the automated process and say once you’ve deployed that code, we’ll look at it and point out all the security defects. Could use quickscan but with the build edition, it’s all automated. Doesn’t require manual intervention. Build edition we think is being released at the same time as DE. Whenver security issues are found, can be pushed into defect management system.
Detailed configuration that can be saved and reused