Strengthening application security capabilities while improving time to value

© 2013 IBM Corporation

IBM Security Systems

Strengthening application security capabilities while improving time to value with IBM Security AppScan

30th October 2013

© 2013 IBM Corporation2


Agenda

IBM Security Framework Why Application Security is Important What’s New in AppScan 8.8 Why IBM? Resources



X-Force is the foundation for advanced security and threat research across the IBM Security Framework

The mission of X-Force is to:

Monitor and evaluate the rapidly changing threat landscape

Research new attack techniques and develop protection for tomorrow’s security challenges

Educate our customers and the general public



Security Incidents in the first half of



Application Security LandscapeWeb application vulnerabilities dominate enterprise threat landscape.

*IBM X-Force 2013 Mid-Year Trend and Risk Report

Production Applications Developed in house

Acquired

Off-the-shelf commercial apps

In-house development

Outsourced development

Applications in Development

31% of new attacks targeted vulnerabilities in web applications (1H 2013)*

Security vulnerabilities can impact a wide variety of applications:

Applications in Development: In-house and outsourced

Production Applications: In-house, acquired and off-the-shelf commercial apps

More than 50% of all web application vulnerabilities are categorized as cross-site scripting.

http://www-935.ibm.com/services/us/iss/xforce/trendreports/



Mobile Security Landscape

Mobile vulnerabilities have grown rapidly since 2009, along with explosive growth in mobile applications.

Attack sophistication is increasing, particularly those targeted at Android devices.

Organizations must have a mobile application security strategy.



Application Security: Core Component of Your Security Strategy

1. Web application vulnerabilities dominate enterprise threat landscape.

2. Mobile application attacks are increasing rapidly.

3. Vulnerabilities are spread through a wide variety of applications (internal development apps and external production apps).

4. Common questions from IBM clients: Where are our vulnerabilities and how do we assess our risks?

5. Many organizations struggle with best practices for managing application security in their IT environments.



Cheaper to find and fix earlier in the lifecycle – When do you test?

Find during Development

$80 / defect

*$8,000 / application

Find during Build

$240 / defect


Find during QA/Test

$960 / defect


Find in Production

$7,600 / defect


80% of development costs are spent identifying and

correcting defects!***

** Source: Ponemon Institute 2009-10

*** Source: National Institute of Standards and Technology

Average Cost of a Data Breach$7.2M** from law suits, loss of customer

trust, damage to brand

*Based on X-Force analysis of 100 vulnerabilities per application



Is there a disconnect? Perception vs. Reality

Source:The State of Application Security A Research Study by Ponemon Institute, 2013

Spend ≠ Risk

Source: The State of Risk-Based Security Management,A Research Study by Ponemon Institute, 2013

Do you have defined Secure Architecture Standards?

Where are your “security risks,” compared to your “security spend”?

Exec ≠ Developers view



Mobile Malware – 2013 Data

Source: Juniper Networks Third Annual Mobile Threats Report: March 2012 through March 2013



IBM X-Force 2013 Mid-Year Report

http://securityintelligence.com/cyber-attacks-research-reveals-top-tactics-xforce/

Android malware increasing

Sophistication of attacks increasing

New versions of Android helping to reduce risk

Android market is very fragmented

2012

2010





Source: Arxan State of Security in the App Economy – 2012

IBM’s Partnered Application Security Solution with Arxan

Arxan technology:

Protects deployed mobile applications

Enhances tamper-proofing

Protects against reverse- engineering

Protects against targeted malware

Goal: Develop secure applications and protect deployed mobile applications, by utilizing IBM/Arxan solution.



Adopt a Secure by Design approach to enable you to design, deliver and manage smarter software and services

Build security into your application development process

Efficiently and effectively address security defects before deployment

Collaborate effectively between Security and Development

Provide Management visibility

Deliver New Services Faster

Reduce Costs

InnovateSecurely

Proactively address vulnerabilities early in the development process



Finding more vulnerabilities using advanced techniques

Static Analysis

- Analyze Source Code- Use during

development- Uses Taint Analysis /

Pattern Matching

Dynamic Analysis

- Correlate Dynamic and Static results

- Assists remediation by identification of line of code

Hybrid Analysis

15

- Analyze Live Web Application

- Use during testing- Uses HTTP tampering

Client-Side Analysis

- Analyze downloaded Javascript code which runs in client

- Unique in the industry

Run-Time Analysis

- Combines Dynamic Analysis with run-time agent

- More results, better accuracy

Total PotentialSecurity Issues

Applications



Application Security Testing

• Training – Applications Security & Product ( Instructor led , self paced – classroom & web based)• Test policies, test templates and access control• Dashboards, detailed reports & trending• Manage regulatory requirements such as DIACAP, PCI, GLBA and HIPAA (40+ out-of-the-box compliance reports)

Scanning Techniques

Applications

Governance & Collaboration

Web Applications Web Services

• Web 2.0\HTML5• AJAX• Java Script• Adobe Flash & Flex

Mobile Applications

• iPhone ObjectiveC• Android Java

Programming Languages• C#• ASP.NET• VB.NET• Classic ASP• ColdFusion• VB6, VBScript

• HTML• PHP• Perl• PL/SQL, T-SQL• Client-side JavaScript• Server-side JavaScript

Build Systems improve scan efficiencies

Integrated

Audience Development teams Security teams Penetration Testers

CODING BUILD QA SECURITY PRODUCTION

Static analysis(white box)

SDLC

• Java/Android

• JSP• C, C++• COBOL• SAP ABAP

(Rational Build Forge, Rational Team Concert,

Hudson, Maven)

Defect Tracking Systems

track remediation

(Rational Team Concert, Rational ClearQuest,

HP QC, MS Team Foundation Server)

IDEs remediation assistance

(RAD, Rational Team Concert,

Eclipse, Visual Studio

Security Intelligence raise threat level

(SiteProtector, QRadar, Guardium)

Source code vulnerabilities & code quality risksData & Call Flow analysis tracks tainted data

Dynamic analysis(black box)

Live Web ApplicationWeb crawling & Manual testing

Hybrid Glass Box analysis

PurchasedApplications



AppScan Source Mobile Support

Support for Android and Native Apple iOS apps

Security SDK research & risk assessment of over 20k Android APIs and 20k iOS APIs

Mac OS X platform support

Xcode interoperability & build automation support

Full call and data flow analysis of Objective-C JavaScript Java

Identify where sensitive data is being leaked

Ensure mobile applications are not susceptible to malware!



AppScan integrations with other IBM Security Systems products

• Application vulnerability assessments

AppScan

• Database vulnerability assessments• Database activity monitoring• Data protection policies

Guardium

• Network activity monitoring• Web application protection

SiteProtector

QRadar

• Application discovery and context• Risk-based vulnerability analysis• Security policies and alerts



AppScan - QRadar Vulnerability Manager integration

Features:

QVM Scanner provides network asset scanning and uncredentialed web application and database scanning

AppScan provides comprehensive credentialed web application scanning

AppScan vulnerability database integrated into QVM

QVM reports, dashboards and vulnerability management features all utilise AppScan vulnerabilities

QVM enables network usage, security and threat context data to be applied to AppScan vulnerabilities

Benefits:

Single view of vulnerability posture, improved incident response time

Prioritize web application vulnerability remediation and mitigation with rich context information

• Identified Risk

• Application Vulnerability


What’s New in AppScan 8.8



AppScan 8.8 - Strengthening application security capabilities while improving time to value

Improve time to value on static analysis

Quickly identify confirmed vulnerabilities

1

2

Identify top security risks by leveraging latest industry standards from OWASP top 10 and Mobile top 10 for 2013

Out of the box filters and scan confirmations ensure security compliance and best practices

Streamlined triage features to quickly identity security riskFaster and easier configuration of Java applications

Enhanced encryption to protect your security assets

Support for industry standard Transport Layer Security (TLS) protocol 1.2

Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a

3



AppScan 8.8: U.S. Federal Compliance Update

Enhanced encryption (support for TLS 1.2)

Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a.

DISA STIG V3.5 out-of-the-box report (Source only)



AppScan Source 8.8: Consumability & Usability Features

New Vulnerability Matrix with extensive Tool Tips

More options to optimize viewing of important trace information

Collapsible Trace view



AppScan Source 8.8: Improved Time to Value

Scan Configurations Enhanced: Android, Large application, Normal,

Quick, Web New: Follow all virtual call targets, iOS,

Maximize findings, Maximize traces, Show all errors and warnings in console, Medium-to-large application, User input vulnerabilities, Service code

Filter Support Updated existing filters to improve accuracy Added new filters: OWASP Top 10 2013,

OWASP Top 10 Mobile Risks Added filter information to assessment results

and reports

New Out-of-the-box reports DISA STIG V3.5 OWASP Top 10 2013 OWASP Top 10 Mobile Risks, RC1

Vulnerability types automatically set



AppScan Source 8.8: Platform Updates

Operating System Updates Windows Server 2012 Red Hat Enterprise Linux 6.4

Updated IDE Support Visual Studio 2012 Eclipse 4.2, 4.2.2, 4.3 Rational Application Developer 8.5.1, 9.0

Defect Tracking System Updates Rational ClearQuest 8.0.1 Rational Team Concert 4.0.2, 4.0.3, 4.0.4

Other Updates Rational License Key Server 8.1.4 WebLogic 11, 12 WebSphere 8, 8.5 Tomcat 7

Enhanced Framework Support Spring MVC 3 Additional feature support for

Spring MVC 2.5 ASP.NET MVC .NET 4.5 Java JAX-RS (V1.0 & 1.1) Java JAX-WS (V2.2) Enhanced Web Services

support including WSDL

Support for .NET 4.5 Microsoft Window

authentication via AppScan Enterprise



AppScan Enterprise 8.8: Summary

Importing a scan configuration from AppScan Standard desktop client Leverage the scalability of AppScan Enterprise Dynamic Analysis Scanner by importing and

scheduling scans configured with the AppScan Standard desktop client.

Windows-based authentication for both DAST and SAST clients Set up Windows authentication (based on Active Directory) when deploying both DAST and

SAST clients. Installing and setting up Jazz Team Server is NOT required!

Enhanced REST API for QA automation Reuse quality assurance functional test scripts to implement Dynamic Analysis security

testing automation via new REST API interfaces.

Finer custom user type settings More flexibility for configuring decentralized AppScan Enterprise administration .

Compliance report update OWASP Top 10 (2013)



AppScan Enterprise 8.8: Importing a scan configuration from AppScan Standard client



AppScan Enterprise 8.8: Windows based authentication for both DAST and SAST clients



The problem The task of recording scripts (HTTP traffic) for the purposes of security testing is

duplication of the same task being performed for the purpose of functional testing. QA teams would like to leverage their functional test scripts (based on HTTP

traffic) for the purposes of security testing.

AppScan Enterprise 8.8: Enhanced REST API for QA automation



AppScan Enterprise 8.8: Enhanced REST API for QA automation

The solution – new REST API interfaces to help: Integrate AppScan with various QA automation tools to remove duplication of work Automate the creation of AppScan security scan jobs based on captured HTTP traffic



AppScan Standard 8.8: Summary

Session management improvements – Action Based Login (ABL)

Parameter and cookie tracking new options User Experience related enhancements:

Session detection pattern – In Session or Out of Session Manual Test dialog now has Search fields for both request and response

content. Use External Browser option is exposed in the UI

TLS 1.1 and 1.2 are now supported in addition to TLS 1.0 and SSL 3.0 SSL 2.0 has been deprecated in this release, but can still be configured

Generic Services Client update: Version 8.5 is now used for setting up web services scans



AppScan Standard 8.8: Action Based Login

Session handling is one the key factors for a successful scan.

In previous versions, when a login sequence was recorded, AppScan would use the recorded HTTP traffic to replay the same sequence of requests each time a login playback was needed.

With Action Based Login AppScan actually uses the browser and performs the same actions as recorded by the user.

Internal tests show dramatic improvement in AppScan’s ability to successfully record and replay the login sequence.

ABL combined with the ‘old’ traffic based login is used automatically by AppScan and there is no need for user intervention.



Try AppScan 8.8 Now!

Free download available http://www.ibm.com/developerworks/downloads/r/appscan/

The IBM Security AppScan download is a fully functional, unlimited version of the IBM Security AppScan Standard product.

The only restriction is that scanning is limited to one site, Altoro Mutual at http://demo.testfire.net. We provide this site to testers so that you can explore the testing process without fear of bringing down a production site.

http://demo.testfire.net/


Why IBM?



Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all

warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose

Magic Quadrant for Application Security TestingNeil MacDonald, Joseph Feiman July 2, 2013

This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research

note and should be evaluated in the context of the entire report. The link to the Gartner report

is available upon request from IBM.

“The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.”

Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST)



Why IBM Security AppScan?Complete and integrated Application Security Testing (AST) solution in the market

Complete AST offering

1. AppScan is a rich set of application testing management products that can scale.

2. AppScan also offers special editions for specific users.

3. IBM has the strongest ability to execute including X-Force.

Best fit for enterprises

1. AppScan meets enterprise needs with flexible deployment models and the most advanced testing.

2. AppScan is available in both on-premise and managed services offerings

3. AppScan has the highest degree of accuracy

4. AppScan also has the best attack vector coverage

Integrated AST solution

1. AppScan is part of the larger IBM Security Systems vision that encompasses the enterprise security intelligence, mobile, Big Data and Cloud

2. AppScan can be integrated with enterprise risk management and intelligence via integrations



37

CiscoScaling application vulnerability management across a large enterprise

The need:

With a small security team and an application portfolio of nearly 2,500 applications, security staff worried they were becoming a “bottleneck” in application security testing.

The solution:

Using IBM® Security AppScan® Enterprise, Cisco empowered its developers and QA personnel to test applications and address security issues before deployment.

The benefits: Drove a 33 percent decrease in number of issues found

Reduced post-deployment remediation costs significantly

Freed security experts to focus on deep application vulnerability assessments

Download the Complete Case Study

“We’ve seen a 33 percent decrease in the number of issues found and a huge reduction in remediation costs post deployment.”

—Sujata Ramamoorthy, Director, Information Security, Cisco

Solution components: IBM® Security AppScan®

Standard IBM Security AppScan

Enterprise

WGP03056-USEN-00

http://www.ibm.com/software/success/cssdb.nsf/cs/SSAO-95T3R7?OpenDocument&Site=corp&ref=crdb


Resources



Related Webinar Available On Demand

Mobile Application Security and Data Protection Challenges

http://www-03.ibm.com/security/2013webinarseries/details/index.html

Securing mobile applications requires an understanding of the unique characteristics of mobile computing. Addressing application security early in the software development life cycle is even more important for mobile applications. However securing mobile applications is different from securing mobile devices. In this presentation Tom will highlight the mobile security risks for end users and enterprises, show you some great examples of simple but effective mobile threats, and discuss application development steps every organization should take to protect their customers and their company.



Additional Information

Documents EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Apps

https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W

AppScan Source Data Sheethttp://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF

AppScan Standard Data Sheethttp://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF

AppScan Enterprise Data Sheetftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF

Posts 2013 Gartner Application Security Testing MQ and the Evolution of Software Security

http://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/

Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST)http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/

Podcasts 2013 Gartner Magic Quadrant for Application Security Testing

http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing Application + Threat + Security intelligence = Priceless

http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless Taking Application Security from the Whiteboard to Reality

http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality



Videos

Overview of IBM Security AppScanhttp://www.youtube.com/watch?v=9R4IjZpKt8I

How College Board is Building Security into Application Developmenthttp://www.youtube.com/watch?v=TtqhlcTnbg8

Building Better, More Secure Applicationshttp://www.youtube.com/watch?v=UcN2uUolgKk

Using Application Security Testing to Increase Deployment Speedhttp://www.youtube.com/watch?v=VImy3ilYUSk

IBM Security AppScan 8.7 for iOS mobile application supporthttp://www.youtube.com/watch?v=I73tbAmJIGw

IBM Security AppScan 8.7 for iOS Applicationshttp://www.youtube.com/watch?v=egnEH-GGQEI

IBM Security AppScan: Analysis Perspectivehttp://www.youtube.com/watch?v=UZD53ZgV848

http://www.youtube.com/watch?v=UZD53ZgV848



ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.