Upload
ibm-security-systems
View
1.997
Download
4
Embed Size (px)
DESCRIPTION
IBM Security AppScan software automates application security testing by scanning applications, identifying vulnerabilities and generating reports with intelligent fix recommendations to ease remediation. Join this session to learn how to reduce your application security risk by integrating IBM Security AppScan into your software development lifecycle, focusing on a Secure by Design approach. View the on-demand webcast: https://www2.gotomeeting.com/register/553267994
Citation preview
© 2013 IBM Corporation
IBM Security Systems
Strengthening application security capabilities while improving time to value with IBM Security AppScan
30th October 2013
© 2013 IBM Corporation2
IBM Security Systems
Agenda
IBM Security Framework Why Application Security is Important What’s New in AppScan 8.8 Why IBM? Resources
© 2013 IBM Corporation3
IBM Security Systems
X-Force is the foundation for advanced security and threat research across the IBM Security Framework
The mission of X-Force is to:
Monitor and evaluate the rapidly changing threat landscape
Research new attack techniques and develop protection for tomorrow’s security challenges
Educate our customers and the general public
© 2013 IBM Corporation5
IBM Security Systems
Security Incidents in the first half of
© 2013 IBM Corporation6
IBM Security Systems
Application Security LandscapeWeb application vulnerabilities dominate enterprise threat landscape.
*IBM X-Force 2013 Mid-Year Trend and Risk Report
Production Applications Developed in house
Acquired
Off-the-shelf commercial apps
In-house development
Outsourced development
Applications in Development
31% of new attacks targeted vulnerabilities in web applications (1H 2013)*
Security vulnerabilities can impact a wide variety of applications:
Applications in Development: In-house and outsourced
Production Applications: In-house, acquired and off-the-shelf commercial apps
More than 50% of all web application vulnerabilities are categorized as cross-site scripting.
© 2013 IBM Corporation7
IBM Security Systems
Mobile Security Landscape
Mobile vulnerabilities have grown rapidly since 2009, along with explosive growth in mobile applications.
Attack sophistication is increasing, particularly those targeted at Android devices.
Organizations must have a mobile application security strategy.
© 2013 IBM Corporation8
IBM Security Systems
Application Security: Core Component of Your Security Strategy
1. Web application vulnerabilities dominate enterprise threat landscape.
2. Mobile application attacks are increasing rapidly.
3. Vulnerabilities are spread through a wide variety of applications (internal development apps and external production apps).
4. Common questions from IBM clients: Where are our vulnerabilities and how do we assess our risks?
5. Many organizations struggle with best practices for managing application security in their IT environments.
© 2013 IBM Corporation9
IBM Security Systems
Cheaper to find and fix earlier in the lifecycle – When do you test?
Find during Development
$80 / defect
*$8,000 / application
Find during Build
$240 / defect
*$24,000 / application
Find during QA/Test
$960 / defect
*$96,000 / application
Find in Production
$7,600 / defect
*$760,000 / application
80% of development costs are spent identifying and
correcting defects!***
** Source: Ponemon Institute 2009-10
*** Source: National Institute of Standards and Technology
Average Cost of a Data Breach$7.2M** from law suits, loss of customer
trust, damage to brand
*Based on X-Force analysis of 100 vulnerabilities per application
© 2013 IBM Corporation10
IBM Security Systems
Is there a disconnect? Perception vs. Reality
Source:The State of Application Security A Research Study by Ponemon Institute, 2013
Spend ≠ Risk
Source: The State of Risk-Based Security Management,A Research Study by Ponemon Institute, 2013
Do you have defined Secure Architecture Standards?
Where are your “security risks,” compared to your “security spend”?
Exec ≠ Developers view
© 2013 IBM Corporation11
IBM Security Systems
Mobile Malware – 2013 Data
Source: Juniper Networks Third Annual Mobile Threats Report: March 2012 through March 2013
© 2013 IBM Corporation12
IBM Security Systems
IBM X-Force 2013 Mid-Year Report
http://securityintelligence.com/cyber-attacks-research-reveals-top-tactics-xforce/
Android malware increasing
Sophistication of attacks increasing
New versions of Android helping to reduce risk
Android market is very fragmented
2012
2010
© 2013 IBM Corporation13
IBM Security Systems
Source: Arxan State of Security in the App Economy – 2012
IBM’s Partnered Application Security Solution with Arxan
Arxan technology:
Protects deployed mobile applications
Enhances tamper-proofing
Protects against reverse- engineering
Protects against targeted malware
Goal: Develop secure applications and protect deployed mobile applications, by utilizing IBM/Arxan solution.
© 2013 IBM Corporation14
IBM Security Systems
Adopt a Secure by Design approach to enable you to design, deliver and manage smarter software and services
Build security into your application development process
Efficiently and effectively address security defects before deployment
Collaborate effectively between Security and Development
Provide Management visibility
Deliver New Services Faster
Reduce Costs
InnovateSecurely
Proactively address vulnerabilities early in the development process
© 2013 IBM Corporation15
IBM Security Systems
Finding more vulnerabilities using advanced techniques
Static Analysis
- Analyze Source Code- Use during
development- Uses Taint Analysis /
Pattern Matching
Dynamic Analysis
- Correlate Dynamic and Static results
- Assists remediation by identification of line of code
Hybrid Analysis
15
- Analyze Live Web Application
- Use during testing- Uses HTTP tampering
Client-Side Analysis
- Analyze downloaded Javascript code which runs in client
- Unique in the industry
Run-Time Analysis
- Combines Dynamic Analysis with run-time agent
- More results, better accuracy
Total PotentialSecurity Issues
Applications
© 2013 IBM Corporation16
IBM Security Systems
Application Security Testing
• Training – Applications Security & Product ( Instructor led , self paced – classroom & web based)• Test policies, test templates and access control• Dashboards, detailed reports & trending• Manage regulatory requirements such as DIACAP, PCI, GLBA and HIPAA (40+ out-of-the-box compliance reports)
Scanning Techniques
Applications
Governance & Collaboration
Web Applications Web Services
• Web 2.0\HTML5• AJAX• Java Script• Adobe Flash & Flex
Mobile Applications
• iPhone ObjectiveC• Android Java
Programming Languages• C#• ASP.NET• VB.NET• Classic ASP• ColdFusion• VB6, VBScript
• HTML• PHP• Perl• PL/SQL, T-SQL• Client-side JavaScript• Server-side JavaScript
Build Systems improve scan efficiencies
Integrated
Audience Development teams Security teams Penetration Testers
CODING BUILD QA SECURITY PRODUCTION
Static analysis(white box)
SDLC
• Java/Android
• JSP• C, C++• COBOL• SAP ABAP
(Rational Build Forge, Rational Team Concert,
Hudson, Maven)
Defect Tracking Systems
track remediation
(Rational Team Concert, Rational ClearQuest,
HP QC, MS Team Foundation Server)
IDEs remediation assistance
(RAD, Rational Team Concert,
Eclipse, Visual Studio
Security Intelligence raise threat level
(SiteProtector, QRadar, Guardium)
Source code vulnerabilities & code quality risksData & Call Flow analysis tracks tainted data
Dynamic analysis(black box)
Live Web ApplicationWeb crawling & Manual testing
Hybrid Glass Box analysis
PurchasedApplications
© 2013 IBM Corporation17
IBM Security Systems
AppScan Source Mobile Support
Support for Android and Native Apple iOS apps
Security SDK research & risk assessment of over 20k Android APIs and 20k iOS APIs
Mac OS X platform support
Xcode interoperability & build automation support
Full call and data flow analysis of Objective-C JavaScript Java
Identify where sensitive data is being leaked
Ensure mobile applications are not susceptible to malware!
© 2013 IBM Corporation18
IBM Security Systems
AppScan integrations with other IBM Security Systems products
• Application vulnerability assessments
AppScan
• Database vulnerability assessments• Database activity monitoring• Data protection policies
Guardium
• Network activity monitoring• Web application protection
SiteProtector
QRadar
• Application discovery and context• Risk-based vulnerability analysis• Security policies and alerts
© 2013 IBM Corporation19
IBM Security Systems
AppScan - QRadar Vulnerability Manager integration
Features:
QVM Scanner provides network asset scanning and uncredentialed web application and database scanning
AppScan provides comprehensive credentialed web application scanning
AppScan vulnerability database integrated into QVM
QVM reports, dashboards and vulnerability management features all utilise AppScan vulnerabilities
QVM enables network usage, security and threat context data to be applied to AppScan vulnerabilities
Benefits:
Single view of vulnerability posture, improved incident response time
Prioritize web application vulnerability remediation and mitigation with rich context information
• Identified Risk
• Application Vulnerability
© 2013 IBM Corporation
What’s New in AppScan 8.8
© 2013 IBM Corporation21
IBM Security Systems
AppScan 8.8 - Strengthening application security capabilities while improving time to value
Improve time to value on static analysis
Quickly identify confirmed vulnerabilities
1
2
Identify top security risks by leveraging latest industry standards from OWASP top 10 and Mobile top 10 for 2013
Out of the box filters and scan confirmations ensure security compliance and best practices
Streamlined triage features to quickly identity security riskFaster and easier configuration of Java applications
Enhanced encryption to protect your security assets
Support for industry standard Transport Layer Security (TLS) protocol 1.2
Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a
3
© 2013 IBM Corporation22
IBM Security Systems
AppScan 8.8: U.S. Federal Compliance Update
Enhanced encryption (support for TLS 1.2)
Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a.
DISA STIG V3.5 out-of-the-box report (Source only)
© 2013 IBM Corporation23
IBM Security Systems
AppScan Source 8.8: Consumability & Usability Features
New Vulnerability Matrix with extensive Tool Tips
More options to optimize viewing of important trace information
Collapsible Trace view
© 2013 IBM Corporation24
IBM Security Systems
AppScan Source 8.8: Improved Time to Value
Scan Configurations Enhanced: Android, Large application, Normal,
Quick, Web New: Follow all virtual call targets, iOS,
Maximize findings, Maximize traces, Show all errors and warnings in console, Medium-to-large application, User input vulnerabilities, Service code
Filter Support Updated existing filters to improve accuracy Added new filters: OWASP Top 10 2013,
OWASP Top 10 Mobile Risks Added filter information to assessment results
and reports
New Out-of-the-box reports DISA STIG V3.5 OWASP Top 10 2013 OWASP Top 10 Mobile Risks, RC1
Vulnerability types automatically set
© 2013 IBM Corporation25
IBM Security Systems
AppScan Source 8.8: Platform Updates
Operating System Updates Windows Server 2012 Red Hat Enterprise Linux 6.4
Updated IDE Support Visual Studio 2012 Eclipse 4.2, 4.2.2, 4.3 Rational Application Developer 8.5.1, 9.0
Defect Tracking System Updates Rational ClearQuest 8.0.1 Rational Team Concert 4.0.2, 4.0.3, 4.0.4
Other Updates Rational License Key Server 8.1.4 WebLogic 11, 12 WebSphere 8, 8.5 Tomcat 7
Enhanced Framework Support Spring MVC 3 Additional feature support for
Spring MVC 2.5 ASP.NET MVC .NET 4.5 Java JAX-RS (V1.0 & 1.1) Java JAX-WS (V2.2) Enhanced Web Services
support including WSDL
Support for .NET 4.5 Microsoft Window
authentication via AppScan Enterprise
© 2013 IBM Corporation26
IBM Security Systems
AppScan Enterprise 8.8: Summary
Importing a scan configuration from AppScan Standard desktop client Leverage the scalability of AppScan Enterprise Dynamic Analysis Scanner by importing and
scheduling scans configured with the AppScan Standard desktop client.
Windows-based authentication for both DAST and SAST clients Set up Windows authentication (based on Active Directory) when deploying both DAST and
SAST clients. Installing and setting up Jazz Team Server is NOT required!
Enhanced REST API for QA automation Reuse quality assurance functional test scripts to implement Dynamic Analysis security
testing automation via new REST API interfaces.
Finer custom user type settings More flexibility for configuring decentralized AppScan Enterprise administration .
Compliance report update OWASP Top 10 (2013)
© 2013 IBM Corporation27
IBM Security Systems
AppScan Enterprise 8.8: Importing a scan configuration from AppScan Standard client
© 2013 IBM Corporation28
IBM Security Systems
AppScan Enterprise 8.8: Windows based authentication for both DAST and SAST clients
© 2013 IBM Corporation29
IBM Security Systems
The problem The task of recording scripts (HTTP traffic) for the purposes of security testing is
duplication of the same task being performed for the purpose of functional testing. QA teams would like to leverage their functional test scripts (based on HTTP
traffic) for the purposes of security testing.
AppScan Enterprise 8.8: Enhanced REST API for QA automation
© 2013 IBM Corporation30
IBM Security Systems
AppScan Enterprise 8.8: Enhanced REST API for QA automation
The solution – new REST API interfaces to help: Integrate AppScan with various QA automation tools to remove duplication of work Automate the creation of AppScan security scan jobs based on captured HTTP traffic
© 2013 IBM Corporation31
IBM Security Systems
AppScan Standard 8.8: Summary
Session management improvements – Action Based Login (ABL)
Parameter and cookie tracking new options User Experience related enhancements:
Session detection pattern – In Session or Out of Session Manual Test dialog now has Search fields for both request and response
content. Use External Browser option is exposed in the UI
TLS 1.1 and 1.2 are now supported in addition to TLS 1.0 and SSL 3.0 SSL 2.0 has been deprecated in this release, but can still be configured
Generic Services Client update: Version 8.5 is now used for setting up web services scans
© 2013 IBM Corporation32
IBM Security Systems
AppScan Standard 8.8: Action Based Login
Session handling is one the key factors for a successful scan.
In previous versions, when a login sequence was recorded, AppScan would use the recorded HTTP traffic to replay the same sequence of requests each time a login playback was needed.
With Action Based Login AppScan actually uses the browser and performs the same actions as recorded by the user.
Internal tests show dramatic improvement in AppScan’s ability to successfully record and replay the login sequence.
ABL combined with the ‘old’ traffic based login is used automatically by AppScan and there is no need for user intervention.
© 2013 IBM Corporation33
IBM Security Systems
Try AppScan 8.8 Now!
Free download available http://www.ibm.com/developerworks/downloads/r/appscan/
The IBM Security AppScan download is a fully functional, unlimited version of the IBM Security AppScan Standard product.
The only restriction is that scanning is limited to one site, Altoro Mutual at http://demo.testfire.net. We provide this site to testers so that you can explore the testing process without fear of bringing down a production site.
© 2013 IBM Corporation
Why IBM?
© 2013 IBM Corporation35
IBM Security Systems
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all
warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose
Magic Quadrant for Application Security TestingNeil MacDonald, Joseph Feiman July 2, 2013
This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research
note and should be evaluated in the context of the entire report. The link to the Gartner report
is available upon request from IBM.
“The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.”
Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST)
© 2013 IBM Corporation36
IBM Security Systems
Why IBM Security AppScan?Complete and integrated Application Security Testing (AST) solution in the market
Complete AST offering
1. AppScan is a rich set of application testing management products that can scale.
2. AppScan also offers special editions for specific users.
3. IBM has the strongest ability to execute including X-Force.
Best fit for enterprises
1. AppScan meets enterprise needs with flexible deployment models and the most advanced testing.
2. AppScan is available in both on-premise and managed services offerings
3. AppScan has the highest degree of accuracy
4. AppScan also has the best attack vector coverage
Integrated AST solution
1. AppScan is part of the larger IBM Security Systems vision that encompasses the enterprise security intelligence, mobile, Big Data and Cloud
2. AppScan can be integrated with enterprise risk management and intelligence via integrations
© 2013 IBM Corporation37
IBM Security Systems
37
CiscoScaling application vulnerability management across a large enterprise
The need:
With a small security team and an application portfolio of nearly 2,500 applications, security staff worried they were becoming a “bottleneck” in application security testing.
The solution:
Using IBM® Security AppScan® Enterprise, Cisco empowered its developers and QA personnel to test applications and address security issues before deployment.
The benefits: Drove a 33 percent decrease in number of issues found
Reduced post-deployment remediation costs significantly
Freed security experts to focus on deep application vulnerability assessments
Download the Complete Case Study
“We’ve seen a 33 percent decrease in the number of issues found and a huge reduction in remediation costs post deployment.”
—Sujata Ramamoorthy, Director, Information Security, Cisco
Solution components: IBM® Security AppScan®
Standard IBM Security AppScan
Enterprise
WGP03056-USEN-00
© 2013 IBM Corporation
Resources
© 2013 IBM Corporation39
IBM Security Systems
Related Webinar Available On Demand
Mobile Application Security and Data Protection Challenges
http://www-03.ibm.com/security/2013webinarseries/details/index.html
Securing mobile applications requires an understanding of the unique characteristics of mobile computing. Addressing application security early in the software development life cycle is even more important for mobile applications. However securing mobile applications is different from securing mobile devices. In this presentation Tom will highlight the mobile security risks for end users and enterprises, show you some great examples of simple but effective mobile threats, and discuss application development steps every organization should take to protect their customers and their company.
© 2013 IBM Corporation40
IBM Security Systems
Additional Information
Documents EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Apps
https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W
AppScan Source Data Sheethttp://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF
AppScan Standard Data Sheethttp://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF
AppScan Enterprise Data Sheetftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF
Posts 2013 Gartner Application Security Testing MQ and the Evolution of Software Security
http://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/
Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST)http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/
Podcasts 2013 Gartner Magic Quadrant for Application Security Testing
http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing Application + Threat + Security intelligence = Priceless
http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless Taking Application Security from the Whiteboard to Reality
http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality
© 2013 IBM Corporation41
IBM Security Systems
Videos
Overview of IBM Security AppScanhttp://www.youtube.com/watch?v=9R4IjZpKt8I
How College Board is Building Security into Application Developmenthttp://www.youtube.com/watch?v=TtqhlcTnbg8
Building Better, More Secure Applicationshttp://www.youtube.com/watch?v=UcN2uUolgKk
Using Application Security Testing to Increase Deployment Speedhttp://www.youtube.com/watch?v=VImy3ilYUSk
IBM Security AppScan 8.7 for iOS mobile application supporthttp://www.youtube.com/watch?v=I73tbAmJIGw
IBM Security AppScan 8.7 for iOS Applicationshttp://www.youtube.com/watch?v=egnEH-GGQEI
IBM Security AppScan: Analysis Perspectivehttp://www.youtube.com/watch?v=UZD53ZgV848
© 2013 IBM Corporation42
IBM Security Systems
ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.