SlideShare a Scribd company logo

IBM AppScan Standard - The Web Application Security Solution

Download as PPT, PDF
hearme limited company
hearme limited company

- Web Application Security risks - What is IBM AppScan Standard? - Features - Scenarios - Workflow - Screen short and DEMO

Software
1 of 17
IBM AppScan Standard The Web Application Security Solution Thuc X.Vu <thuc@labsofthings.com> Reseacher, founder of IoT and Data processing Labs Vietsoftware International Inc. Website: http://labsofthings.com/
IBM AppScan Solution2 Vietsoftware International Inc. Agenda  Web Application Security risks  What is IBM AppScan Standard?  Features  Scenarios  Workflow  Screen short and DEMO
IBM AppScan Solution3 Vietsoftware International Inc. Application Threat Negative Impact Example Impact Cross Site scripting Identity Theft, Sensitive Information Leakage, … Hackers can impersonate legitimate users, and control their accounts. Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system Hackers can access backend database information, alter it or steal it. Malicious File Execution Execute shell commands on server, up to full control Site modified to transfer all interactions to the hacker. Insecure Direct Object Reference Attacker can access sensitive files and resources Web application returns contents of sensitive file (instead of harmless one) Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user Blind requests to bank account transfer money to hacker Information Leakage and Improper Error Handling Attackers can gain detailed system information Malicious system reconnaissance may assist in developing further attacks Broken Authentication & Session Management Session tokens not guarded or invalidated properly Hacker can “force” session token on victim; session tokens can be stolen after logout Insecure Cryptographic Storage Weak encryption techniques may lead to broken encryption Confidential information (SSN, Credit Cards) can be decrypted by malicious users Insecure Communications Sensitive info sent unencrypted over insecure channel Unencrypted credentials “sniffed” and used by hacker to impersonate user Failure to Restrict URL Access Hacker can access unauthorized resources Hacker can forcefully browse and access a page past the login page The OWASP Top 10 list 2013
IBM AppScan Solution4 Vietsoftware International Inc. What is AppScan Standard?  Is a security vulnerability testing tool for web applications and web services  Features the most advanced testing methods
IBM AppScan Solution5 Vietsoftware International Inc. How does AppScan work?  Approaches an application as a black-box  Traverses a web application and builds the site model  Determines the attack vectors based on the selected Test policy  Tests by sending modified HTTP requests to the application and examining the HTTP response according to validate rules HTTP Request Web Application HTTP Response
IBM AppScan Solution6 Vietsoftware International Inc. Hybrid Technology Scan for AppScan Standard Employs three distinct testing techniques:  Dynamic Analysis (“black-box scanning”) testing and evaluating application responses during run-time  Static Analysis (“white-box scanning”) analyzes JavaScript code in the context of the full web page  Interactive Analysis (“glass box scanning”) interact with a dedicated glass-box agent which resides on the web-server itself
IBM AppScan Solution7 Vietsoftware International Inc. Main Features  Manual Explore  Full scan  Manager issue  Report  Integrations
IBM AppScan Solution8 Vietsoftware International Inc. Architecture Black-box Scanner Target web appTarget web app HTTP(S)HTTP(S) HTTP(S)HTTP(S) Agent(s) AgentAgent RulesRules Control & Reporting Glass box Component Target ServerTarget Server Glass boxGlass box EngineEngine
IBM AppScan Solution9 Vietsoftware International Inc. Workflow?
IBM AppScan Solution10 Vietsoftware International Inc. User Interface Tour Configure
IBM AppScan Solution11 Vietsoftware International Inc. User Interface Tour Manual Explore  Using browser  Using external device
IBM AppScan Solution12 Vietsoftware International Inc. User Interface Tour Manage Issue
IBM AppScan Solution13 Vietsoftware International Inc. User Interface Tour Report Security Industry Standard Regulatory Compliance Delta Analysis
IBM AppScan Solution14 Vietsoftware International Inc. Intergration  AppScan Enterprise  Rational ClearQuest  HP Quality Center
IBM AppScan Solution15 Vietsoftware International Inc. Intergration Publish result to Enterprise
IBM AppScan Solution16 Vietsoftware International Inc. Credits  Implemented IBM Appscan for customers in Vietnam: Vietcombank; VietinBank; Vietnam Customs  Some presentations on Enterprise Mobile Solution, IoT, Security, payment at http://www.slideshare.net/papaiking/
IBM AppScan Solution17 Vietsoftware International Inc. Smarter security for a smarter planet

Recommended

IBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionIBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solution
hearme limited company
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
hearme limited company
 
Requirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing LabRequirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing Lab
Syed Ubaid Ali Jafri
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
Florian Roth
 
Web application security I
Web application security IWeb application security I
Web application security I
Md Syed Ahamad
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 

Recommended

IBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionIBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solution
hearme limited company
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
hearme limited company
 
Requirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing LabRequirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing Lab
Syed Ubaid Ali Jafri
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
Florian Roth
 
Web application security I
Web application security IWeb application security I
Web application security I
Md Syed Ahamad
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
deepikakumari643428
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 Introduction
Ashraf Bashir
 
Security Testing
Security TestingSecurity Testing
Security Testing
Kiran Kumar
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's Perspective
RajniHatti
 
Bảo mật ứng dụng web
Bảo mật ứng dụng webBảo mật ứng dụng web
Bảo mật ứng dụng web
Nguyễn Thế Vinh
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
Shahee Mirza
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
Alwin Thayyil
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
Fadi Abdulwahab
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
Splunk
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
Onwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Amine SAIGHI
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solution
hearme limited company
 

More Related Content

What's hot

OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 

What's hot (20)

iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
Security testing
Security testingSecurity testing
Security testing
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 Introduction
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's Perspective
 
Bảo mật ứng dụng web
Bảo mật ứng dụng webBảo mật ứng dụng web
Bảo mật ứng dụng web
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 

Viewers also liked

Mathematics ppt on trigonometry
Mathematics ppt on trigonometryMathematics ppt on trigonometry
Mathematics ppt on trigonometry
niks957
 
Tp1 industriel :criblage des souches productrices des substances antibectérie...
Tp1 industriel :criblage des souches productrices des substances antibectérie...Tp1 industriel :criblage des souches productrices des substances antibectérie...
Tp1 industriel :criblage des souches productrices des substances antibectérie...
sara saidi
 
Some applications of trigonometry
Some applications of trigonometrySome applications of trigonometry
Some applications of trigonometry
Deepak Dalal
 
Maths ppt on some applications of trignometry
Maths ppt on some applications of trignometryMaths ppt on some applications of trignometry
Maths ppt on some applications of trignometry
Harsh Mahajan
 

Viewers also liked (9)

Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solution
 
Mathematics ppt on trigonometry
Mathematics ppt on trigonometryMathematics ppt on trigonometry
Mathematics ppt on trigonometry
 
Tp1 industriel :criblage des souches productrices des substances antibectérie...
Tp1 industriel :criblage des souches productrices des substances antibectérie...Tp1 industriel :criblage des souches productrices des substances antibectérie...
Tp1 industriel :criblage des souches productrices des substances antibectérie...
 
Some application of trignometry
Some application of trignometrySome application of trignometry
Some application of trignometry
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android App
 
Some applications of trigonometry
Some applications of trigonometrySome applications of trigonometry
Some applications of trigonometry
 
Maths ppt on some applications of trignometry
Maths ppt on some applications of trignometryMaths ppt on some applications of trignometry
Maths ppt on some applications of trignometry
 
Carrefour d'échanges 2010 (FSEDU) : S. Abourjeili - Recherche - Action - Remé...
Carrefour d'échanges 2010 (FSEDU) : S. Abourjeili - Recherche - Action - Remé...Carrefour d'échanges 2010 (FSEDU) : S. Abourjeili - Recherche - Action - Remé...
Carrefour d'échanges 2010 (FSEDU) : S. Abourjeili - Recherche - Action - Remé...
 

Similar to IBM AppScan Standard - The Web Application Security Solution

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
IBM Rational software
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 

Similar to IBM AppScan Standard - The Web Application Security Solution (20)

Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
mobsf.pdf
mobsf.pdfmobsf.pdf
mobsf.pdf
 
A26001006
A26001006A26001006
A26001006
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hacking
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
Project Presentation
Project Presentation Project Presentation
Project Presentation
 
T04505103106
T04505103106T04505103106
T04505103106
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
PROP - P ATRONAGE OF PHP W EB A PPLICATIONS
PROP - P ATRONAGE OF PHP W EB A PPLICATIONSPROP - P ATRONAGE OF PHP W EB A PPLICATIONS
PROP - P ATRONAGE OF PHP W EB A PPLICATIONS
 

More from hearme limited company

TOÀN DIỆN VỀ TRẢI NGHIỆM KHÁCH HÀNG TRONG KỶ NGUYÊN 4.0
TOÀN DIỆN VỀ TRẢI NGHIỆM KHÁCH HÀNG TRONG KỶ NGUYÊN 4.0TOÀN DIỆN VỀ TRẢI NGHIỆM KHÁCH HÀNG TRONG KỶ NGUYÊN 4.0
TOÀN DIỆN VỀ TRẢI NGHIỆM KHÁCH HÀNG TRONG KỶ NGUYÊN 4.0
hearme limited company
 
CHUYỂN ĐỐI SỐ LẤY KHÁCH HÀNG LÀM TRUNG TÂM
CHUYỂN ĐỐI SỐ LẤY KHÁCH HÀNG LÀM TRUNG TÂMCHUYỂN ĐỐI SỐ LẤY KHÁCH HÀNG LÀM TRUNG TÂM
CHUYỂN ĐỐI SỐ LẤY KHÁCH HÀNG LÀM TRUNG TÂM
hearme limited company
 

More from hearme limited company (14)

TOÀN DIỆN VỀ TRẢI NGHIỆM KHÁCH HÀNG TRONG KỶ NGUYÊN 4.0
TOÀN DIỆN VỀ TRẢI NGHIỆM KHÁCH HÀNG TRONG KỶ NGUYÊN 4.0TOÀN DIỆN VỀ TRẢI NGHIỆM KHÁCH HÀNG TRONG KỶ NGUYÊN 4.0
TOÀN DIỆN VỀ TRẢI NGHIỆM KHÁCH HÀNG TRONG KỶ NGUYÊN 4.0
 
CHUYỂN ĐỐI SỐ LẤY KHÁCH HÀNG LÀM TRUNG TÂM
CHUYỂN ĐỐI SỐ LẤY KHÁCH HÀNG LÀM TRUNG TÂMCHUYỂN ĐỐI SỐ LẤY KHÁCH HÀNG LÀM TRUNG TÂM
CHUYỂN ĐỐI SỐ LẤY KHÁCH HÀNG LÀM TRUNG TÂM
 
Hướng dẫn sử dụng hearme - v1.8.6
Hướng dẫn sử dụng hearme - v1.8.6Hướng dẫn sử dụng hearme - v1.8.6
Hướng dẫn sử dụng hearme - v1.8.6
 
Trải nghiệm khách hàng
Trải nghiệm khách hàngTrải nghiệm khách hàng
Trải nghiệm khách hàng
 
hearme solution for Customer experience measurement
hearme solution for Customer experience measurementhearme solution for Customer experience measurement
hearme solution for Customer experience measurement
 
Giải pháp đo lường hài lòng khách hàng hearme
Giải pháp đo lường hài lòng khách hàng hearmeGiải pháp đo lường hài lòng khách hàng hearme
Giải pháp đo lường hài lòng khách hàng hearme
 
Open Source solution for Mobile Enterprise Application System
Open Source solution for Mobile Enterprise Application SystemOpen Source solution for Mobile Enterprise Application System
Open Source solution for Mobile Enterprise Application System
 
Mobile Enterprise Application vision
Mobile Enterprise Application visionMobile Enterprise Application vision
Mobile Enterprise Application vision
 
Mobile payment solution
Mobile payment solutionMobile payment solution
Mobile payment solution
 
on Sales Performance Management system
on Sales Performance Management systemon Sales Performance Management system
on Sales Performance Management system
 
GIỚI THIỆU GIẢI PHÁP IBM Worklight
GIỚI THIỆU GIẢI PHÁP IBM WorklightGIỚI THIỆU GIẢI PHÁP IBM Worklight
GIỚI THIỆU GIẢI PHÁP IBM Worklight
 
Apply Logistic Regression model in Making Celebrity's popularity ranking system
Apply Logistic Regression model in Making Celebrity's popularity ranking systemApply Logistic Regression model in Making Celebrity's popularity ranking system
Apply Logistic Regression model in Making Celebrity's popularity ranking system
 
GIẢI PHÁP DI ĐỘNG CHO NGÂN HÀNG BÁN LẺ
GIẢI PHÁP DI ĐỘNG CHO NGÂN HÀNG BÁN LẺGIẢI PHÁP DI ĐỘNG CHO NGÂN HÀNG BÁN LẺ
GIẢI PHÁP DI ĐỘNG CHO NGÂN HÀNG BÁN LẺ
 
Giới thiệu về Chợ xây dựng
Giới thiệu về Chợ xây dựngGiới thiệu về Chợ xây dựng
Giới thiệu về Chợ xây dựng
 

Recently uploaded

AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 

Recently uploaded (20)

AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 

IBM AppScan Standard - The Web Application Security Solution

  • 1. IBM AppScan Standard The Web Application Security Solution Thuc X.Vu <thuc@labsofthings.com> Reseacher, founder of IoT and Data processing Labs Vietsoftware International Inc. Website: http://labsofthings.com/
  • 2. IBM AppScan Solution2 Vietsoftware International Inc. Agenda  Web Application Security risks  What is IBM AppScan Standard?  Features  Scenarios  Workflow  Screen short and DEMO
  • 3. IBM AppScan Solution3 Vietsoftware International Inc. Application Threat Negative Impact Example Impact Cross Site scripting Identity Theft, Sensitive Information Leakage, … Hackers can impersonate legitimate users, and control their accounts. Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system Hackers can access backend database information, alter it or steal it. Malicious File Execution Execute shell commands on server, up to full control Site modified to transfer all interactions to the hacker. Insecure Direct Object Reference Attacker can access sensitive files and resources Web application returns contents of sensitive file (instead of harmless one) Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user Blind requests to bank account transfer money to hacker Information Leakage and Improper Error Handling Attackers can gain detailed system information Malicious system reconnaissance may assist in developing further attacks Broken Authentication & Session Management Session tokens not guarded or invalidated properly Hacker can “force” session token on victim; session tokens can be stolen after logout Insecure Cryptographic Storage Weak encryption techniques may lead to broken encryption Confidential information (SSN, Credit Cards) can be decrypted by malicious users Insecure Communications Sensitive info sent unencrypted over insecure channel Unencrypted credentials “sniffed” and used by hacker to impersonate user Failure to Restrict URL Access Hacker can access unauthorized resources Hacker can forcefully browse and access a page past the login page The OWASP Top 10 list 2013
  • 4. IBM AppScan Solution4 Vietsoftware International Inc. What is AppScan Standard?  Is a security vulnerability testing tool for web applications and web services  Features the most advanced testing methods
  • 5. IBM AppScan Solution5 Vietsoftware International Inc. How does AppScan work?  Approaches an application as a black-box  Traverses a web application and builds the site model  Determines the attack vectors based on the selected Test policy  Tests by sending modified HTTP requests to the application and examining the HTTP response according to validate rules HTTP Request Web Application HTTP Response
  • 6. IBM AppScan Solution6 Vietsoftware International Inc. Hybrid Technology Scan for AppScan Standard Employs three distinct testing techniques:  Dynamic Analysis (“black-box scanning”) testing and evaluating application responses during run-time  Static Analysis (“white-box scanning”) analyzes JavaScript code in the context of the full web page  Interactive Analysis (“glass box scanning”) interact with a dedicated glass-box agent which resides on the web-server itself
  • 7. IBM AppScan Solution7 Vietsoftware International Inc. Main Features  Manual Explore  Full scan  Manager issue  Report  Integrations
  • 8. IBM AppScan Solution8 Vietsoftware International Inc. Architecture Black-box Scanner Target web appTarget web app HTTP(S)HTTP(S) HTTP(S)HTTP(S) Agent(s) AgentAgent RulesRules Control & Reporting Glass box Component Target ServerTarget Server Glass boxGlass box EngineEngine
  • 9. IBM AppScan Solution9 Vietsoftware International Inc. Workflow?
  • 10. IBM AppScan Solution10 Vietsoftware International Inc. User Interface Tour Configure
  • 11. IBM AppScan Solution11 Vietsoftware International Inc. User Interface Tour Manual Explore  Using browser  Using external device
  • 12. IBM AppScan Solution12 Vietsoftware International Inc. User Interface Tour Manage Issue
  • 13. IBM AppScan Solution13 Vietsoftware International Inc. User Interface Tour Report Security Industry Standard Regulatory Compliance Delta Analysis
  • 14. IBM AppScan Solution14 Vietsoftware International Inc. Intergration  AppScan Enterprise  Rational ClearQuest  HP Quality Center
  • 15. IBM AppScan Solution15 Vietsoftware International Inc. Intergration Publish result to Enterprise
  • 16. IBM AppScan Solution16 Vietsoftware International Inc. Credits  Implemented IBM Appscan for customers in Vietnam: Vietcombank; VietinBank; Vietnam Customs  Some presentations on Enterprise Mobile Solution, IoT, Security, payment at http://www.slideshare.net/papaiking/
  • 17. IBM AppScan Solution17 Vietsoftware International Inc. Smarter security for a smarter planet

Editor's Notes

  1. The OWASP Top 10 list, includes the following 10 common security issues, which we will cover in a moment.
  2. AppScan scans for vulnerabilities by traversing an application similarly to the way a user browses a website. It starts from the home page or some other entry point, as defined by the user, and follows all the links. Each page is analyzed, and based on the characteristics of the page, AppScan sends a number of tests. The tests are sent in the form of HTTP requests. AppScan determines the presence of vulnerabilities based on the responses from the web server. The application is treated as a black box and AppScan communicates with it just like a browser does. AppScan Enterprise has thousands of built-in tests and checks for hundreds of different types of vulnerabilities.