Contenu connexe Plus de IBM Security (20) Strengthening application security capabilities while improving time to value2. IBM Security Systems
Agenda
IBM Security Framework
Why Application Security is Important
What’s New in AppScan 8.8
Why IBM?
Resources
2
© 2013 IBM Corporation
3. IBM Security Systems
X-Force is the foundation for advanced security and
threat research across the IBM Security Framework
The mission of X-Force is to:
Monitor and evaluate the
rapidly changing threat
landscape
Research new attack
techniques and develop
protection for tomorrow’s
security challenges
Educate our customers and
the general public
3
© 2013 IBM Corporation
5. IBM Security Systems
Application Security Landscape
Web application vulnerabilities dominate enterprise threat landscape.
Applications in Development
In-house development
Outsourced development
Production Applications
Developed in house
31% of new attacks targeted vulnerabilities in
web applications (1H 2013)*
Security vulnerabilities can impact a wide
variety of applications:
6
Applications in Development: Inhouse and outsourced
Acquired
More than 50% of all web application
Off-the-shelf categorized apps
vulnerabilities are commercialas cross-site
scripting.
Production Applications: In-house,
acquired and off-the-shelf commercial
apps
© 2013 IBM Corporation
*IBM X-Force 2013 Mid-Year Trend and Risk Report
6. IBM Security Systems
Mobile Security Landscape
Mobile vulnerabilities have
grown rapidly since 2009, along
with explosive growth in mobile
applications.
Attack sophistication is
increasing, particularly those
targeted at Android devices.
Organizations must have a
mobile application security
strategy.
7
© 2013 IBM Corporation
7. IBM Security Systems
Application Security: Core Component of Your Security Strategy
1.
2.
Mobile application attacks are
increasing rapidly.
3.
Vulnerabilities are spread through a
wide variety of applications (internal
development apps and external
production apps).
4.
Common questions from IBM clients:
Where are our vulnerabilities and how
do we assess our risks?
5.
8
Web application vulnerabilities
dominate enterprise threat landscape.
Many organizations struggle with
best practices for managing
application security in their IT
environments.
© 2013 IBM Corporation
8. IBM Security Systems
Cheaper to find and fix earlier in the lifecycle – When do you test?
80% of development costs
are spent identifying and
correcting defects!***
Average Cost of a Data Breach
$7.2M** from law suits, loss of customer
trust, damage to brand
Find during
Development
Find during Build
Find during QA/Test
Find in Production
$80 / defect
$240 / defect
$960 / defect
$7,600 / defect
*$8,000 / application
*$24,000 / application
*$96,000 / application
*$760,000 / application
*Based on X-Force analysis of 100 vulnerabilities per application
9
** Source: Ponemon Institute 2009-10
*** Source: National Institute of Standards and Technology
© 2013 IBM Corporation
9. IBM Security Systems
Is there a disconnect? Perception vs. Reality
Where are your “security risks,” compared to your “security spend”?
Spend ≠ Risk
Source:
The State of Risk-Based Security Management,
A Research Study by Ponemon Institute, 2013
Do you have defined Secure Architecture Standards?
Exec ≠ Developers view
Source:
The State of Application Security
A Research Study by Ponemon Institute, 2013
10
© 2013 IBM Corporation
10. IBM Security Systems
Mobile Malware – 2013 Data
Source: Juniper Networks Third Annual Mobile Threats Report: March 2012 through March 2013
11
© 2013 IBM Corporation
11. IBM Security Systems
IBM X-Force 2013 Mid-Year Report
Android malware increasing
Sophistication of attacks increasing
New versions of Android helping to
reduce risk
Android market is very fragmented
http://securityintelligence.com/cyber-attacksresearch-reveals-top-tactics-xforce/
2012
2010
12
© 2013 IBM Corporation
12. IBM Security Systems
IBM’s Partnered Application Security Solution with Arxan
Arxan technology:
Protects deployed
mobile
applications
Enhances tamperproofing
Protects against
reverseengineering
Source: Arxan State of Security in the App Economy – 2012
Protects against
targeted malware
Goal: Develop secure applications and protect deployed
mobile applications, by utilizing IBM/Arxan solution.
13
© 2013 IBM Corporation
13. IBM Security Systems
Adopt a Secure by Design approach to enable you to design, deliver
and manage smarter software and services
Build security into your application
development process
Efficiently and effectively address
security defects before deployment
Collaborate effectively between Security
and Development
Deliver New
Services Faster
Innovate
Securely
Reduce
Costs
Provide Management visibility
Proactively address vulnerabilities early in the development process
14
© 2013 IBM Corporation
14. Applications
IBM Security Systems
Finding more vulnerabilities using advanced techniques
Total Potential
Security Issues
Static Analysis
- Analyze Source Code
- Use during
development
- Uses Taint Analysis /
Pattern Matching
Dynamic Analysis
- Analyze Live Web
Application
- Use during testing
- Uses HTTP tampering
Hybrid Analysis
- Correlate Dynamic and
Static results
- Assists remediation by
identification of line of
code
Run-Time Analysis
- Combines Dynamic Analysis
with run-time agent
- More results, better accuracy
15
15
Client-Side Analysis
- Analyze downloaded
Javascript code which runs in
client
- Unique in the industry
© 2013 IBM Corporation
15. IBM Security Systems
Application Security Testing
Development teams
Audience
SDLC
Security teams
CODING
BUILD
Penetration Testers
QA
SECURITY
Live Web Application
Web crawling & Manual testing
Hybrid Glass Box analysis
Scanning
Techniques
Applications
Integrated
16
Dynamic analysis
(black box)
Static analysis Source code vulnerabilities & code quality risks
Data & Call Flow analysis tracks tainted data
(white box)
Programming Languages
Governance &
Collaboration
PRODUCTION
•
•
•
•
•
•
•
•
•
Java/Android
JSP
C, C++
COBOL
SAP ABAP
•
•
•
•
•
•
C#
ASP.NET
VB.NET
Classic ASP
ColdFusion
VB6, VBScript
•
•
•
•
•
•
HTML
PHP
Perl
PL/SQL, T-SQL
Client-side JavaScript
Server-side JavaScript
Web Applications
Web Services
•
•
•
•
Web 2.0HTML5
AJAX
Java Script
Adobe Flash & Flex
Mobile
Applications
•
•
Purchased
Applications
iPhone ObjectiveC
Android Java
Training – Applications Security & Product ( Instructor led , self paced – classroom & web based)
Test policies, test templates and access control
Dashboards, detailed reports & trending
Manage regulatory requirements such as DIACAP, PCI, GLBA and HIPAA (40+ out-of-the-box compliance reports)
Build Systems
improve scan
efficiencies
(Rational Build Forge, Rational
Team Concert,
Hudson, Maven)
Defect Tracking
Systems
track remediation
(Rational Team Concert, Rational
ClearQuest,
HP QC, MS Team Foundation
Server)
IDEs
remediation
assistance
(RAD, Rational Team
Concert,
Eclipse, Visual Studio
Security Intelligence
raise threat level
(SiteProtector, QRadar, Guardium)
© 2013 IBM Corporation
16. IBM Security Systems
AppScan Source Mobile Support
Ensure mobile applications are not susceptible to malware!
Support for Android and Native
Apple iOS apps
Security SDK research & risk
assessment of over 20k Android
APIs and 20k iOS APIs
Mac OS X platform support
Xcode interoperability & build
automation support
Full call and data flow analysis of
Objective-C
JavaScript
Java
Identify where sensitive data is
being leaked
17
© 2013 IBM Corporation
17. IBM Security Systems
AppScan integrations with other IBM Security Systems products
• Application discovery and context
• Risk-based vulnerability analysis
• Security policies and alerts
QRadar
SiteProtector
• Network activity monitoring
• Web application protection
18
AppScan
• Application vulnerability
assessments
Guardium
• Database vulnerability assessments
• Database activity monitoring
• Data protection policies © 2013 IBM Corporation
18. IBM Security Systems
AppScan - QRadar Vulnerability Manager integration
Features:
QVM Scanner provides network asset scanning and
uncredentialed web application and database
scanning
AppScan provides comprehensive credentialed web
application scanning
AppScan vulnerability database integrated into QVM
QVM reports, dashboards and vulnerability
management features all utilise AppScan
vulnerabilities
QVM enables network usage, security and threat
context data to be applied to AppScan vulnerabilities
• Application
Vulnerability
• Identified Risk
Benefits:
Single view of vulnerability posture, improved
incident response time
Prioritize web application vulnerability remediation
and mitigation with rich context information
19
© 2013 IBM Corporation
20. IBM Security Systems
AppScan 8.8 - Strengthening application security capabilities while
improving time to value
1
Improve time to value on static analysis
Streamlined triage features to quickly identity security risk
Faster and easier configuration of Java applications
2
Quickly identify confirmed vulnerabilities
Identify top security risks by leveraging latest industry
standards from OWASP top 10 and Mobile top 10 for 2013
Out of the box filters and scan confirmations ensure
security compliance and best practices
3
Enhanced encryption to protect your security assets
Support for industry standard Transport Layer Security
(TLS) protocol 1.2
21
Compliance with National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-131a Corporation
© 2013 IBM
21. IBM Security Systems
AppScan 8.8: U.S. Federal Compliance Update
Enhanced encryption (support for TLS
1.2)
Compliance with National Institute of
Standards and Technology (NIST)
Special Publication (SP) 800-131a.
DISA STIG V3.5 out-of-the-box report
(Source only)
22
© 2013 IBM Corporation
22. IBM Security Systems
AppScan Source 8.8: Consumability & Usability Features
New Vulnerability Matrix with extensive Tool Tips
More options to optimize viewing of important trace information
Collapsible Trace view
23
© 2013 IBM Corporation
23. IBM Security Systems
AppScan Source 8.8: Improved Time to Value
Scan Configurations
Enhanced: Android, Large application, Normal,
Quick, Web
New: Follow all virtual call targets, iOS,
Maximize findings, Maximize traces, Show all
errors and warnings in console, Medium-tolarge application, User input vulnerabilities,
Service code
Filter Support
Updated existing filters to improve accuracy
Added new filters: OWASP Top 10 2013,
OWASP Top 10 Mobile Risks
Added filter information to assessment results
and reports
Vulnerability types
automatically set
New Out-of-the-box reports
DISA STIG V3.5
OWASP Top 10 2013
OWASP Top 10 Mobile Risks, RC1
24
© 2013 IBM Corporation
24. IBM Security Systems
AppScan Source 8.8: Platform Updates
Operating System Updates
Windows Server 2012
Red Hat Enterprise Linux 6.4
Updated IDE Support
Visual Studio 2012
Eclipse 4.2, 4.2.2, 4.3
Rational Application Developer 8.5.1, 9.0
Defect Tracking System Updates
Rational ClearQuest 8.0.1
Rational Team Concert 4.0.2, 4.0.3, 4.0.4
Enhanced Framework Support
Spring MVC 3
Additional feature support for
Spring MVC 2.5
ASP.NET MVC
.NET 4.5
Java JAX-RS (V1.0 & 1.1)
Java JAX-WS (V2.2)
Enhanced Web Services
support including WSDL
Other Updates
Rational License Key Server 8.1.4
WebLogic 11, 12
WebSphere 8, 8.5
Tomcat 7
25
Support for .NET 4.5
Microsoft Window
authentication via AppScan
Enterprise
© 2013 IBM Corporation
25. IBM Security Systems
AppScan Enterprise 8.8: Summary
Importing a scan configuration from AppScan Standard
desktop client
Leverage the scalability of AppScan Enterprise Dynamic Analysis Scanner by importing and
scheduling scans configured with the AppScan Standard desktop client.
Windows-based authentication for both DAST and SAST
clients
Set up Windows authentication (based on Active Directory) when deploying both DAST and
SAST clients. Installing and setting up Jazz Team Server is NOT required!
Enhanced REST API for QA automation
Reuse quality assurance functional test scripts to implement Dynamic Analysis security
testing automation via new REST API interfaces.
Finer custom user type settings
More flexibility for configuring decentralized AppScan Enterprise administration .
Compliance report update
OWASP Top 10 (2013)
26
© 2013 IBM Corporation
28. IBM Security Systems
AppScan Enterprise 8.8: Enhanced REST API for QA automation
The problem
The task of recording scripts (HTTP traffic) for the purposes of security testing is
duplication of the same task being performed for the purpose of functional testing.
QA teams would like to leverage their functional test scripts (based on HTTP
traffic) for the purposes of security testing.
29
© 2013 IBM Corporation
29. IBM Security Systems
AppScan Enterprise 8.8: Enhanced REST API for QA automation
The solution – new REST API interfaces to help:
Integrate AppScan with various QA automation tools to remove duplication of work
Automate the creation of AppScan security scan jobs based on captured HTTP traffic
30
© 2013 IBM Corporation
30. IBM Security Systems
AppScan Standard 8.8: Summary
Session management improvements – Action Based
Login (ABL)
Parameter and cookie tracking new options
User Experience related enhancements:
Session detection pattern – In Session or Out of Session
Manual Test dialog now has Search fields for both request and response
content.
Use External Browser option is exposed in the UI
TLS 1.1 and 1.2 are now supported in addition to TLS 1.0
and SSL 3.0
31
SSL 2.0 has been deprecated in this release, but can still be configured
Generic Services Client update: Version 8.5 is now used
for setting up web services scans
© 2013 IBM Corporation
31. IBM Security Systems
AppScan Standard 8.8: Action Based Login
Session handling is one the key factors for a successful scan.
In previous versions, when a login sequence was recorded,
AppScan would use the recorded HTTP traffic to replay the same
sequence of requests each time a login playback was needed.
With Action Based Login AppScan actually uses the browser and
performs the same actions as recorded by the user.
Internal tests show dramatic improvement in AppScan’s ability to
successfully record and replay the login sequence.
ABL combined with the ‘old’ traffic based login is used
automatically by AppScan and there is no need for user
intervention.
32
© 2013 IBM Corporation
32. IBM Security Systems
Try AppScan 8.8 Now!
Free download available
http://www.ibm.com/developerworks/downloads/r/appscan/
The IBM Security AppScan download is a fully functional, unlimited
version of the IBM Security AppScan Standard product.
The only restriction is that scanning is limited to one site, Altoro Mutual at
http://demo.testfire.net. We provide this site to testers so that you can
explore the testing process without fear of bringing down a production
site.
33
© 2013 IBM Corporation
34. IBM Security Systems
Gartner has recognized IBM as a leader in the Magic Quadrant for
Application Security Testing (AST)
Magic Quadrant for Application
Security Testing
Neil MacDonald, Joseph Feiman
July 2, 2013
“The market for application security
testing is changing rapidly.
Technology trends, such as mobile
applications, advanced Web
applications and dynamic languages,
are forcing the need to combine
dynamic and static testing
capabilities, which is reshaping the
overall market.”
This Magic Quadrant graphic was published
by Gartner, Inc. as part of a larger research
note and should be evaluated in the context of
the entire report. The link to the Gartner report
is available upon request from IBM.
35
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the
highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all
warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose
© 2013 IBM Corporation
35. IBM Security Systems
Why IBM Security AppScan?
Complete and integrated Application Security Testing (AST) solution in the market
Complete AST offering
Integrated AST solution
Best fit for enterprises
1.AppScan is a rich set of
application testing
management products that
can scale.
1.AppScan is part of the
larger IBM Security Systems
vision that encompasses the
enterprise security
intelligence, mobile, Big Data
and Cloud
1.AppScan meets enterprise
needs with flexible
deployment models and the
most advanced testing.
2.AppScan also offers special
editions for specific users.
3.IBM has the strongest
ability to execute including
X-Force.
2.AppScan can be integrated
with enterprise risk
management and intelligence
via integrations
2.AppScan is available in
both on-premise and
managed services offerings
3.AppScan has the highest
degree of accuracy
4.AppScan also has the best
attack vector coverage
36
© 2013 IBM Corporation
36. IBM Security Systems
Cisco
Scaling application vulnerability management across a large enterprise
The need:
With a small security team and an application portfolio of nearly
2,500 applications, security staff worried they were becoming a
“bottleneck” in application security testing.
The solution:
Using IBM® Security AppScan® Enterprise, Cisco empowered its
developers and QA personnel to test applications and address
security issues before deployment.
The benefits:
Drove a 33 percent decrease in number of issues found
Reduced post-deployment remediation costs significantly
“We’ve seen a 33 percent
decrease in the number of
issues found and a huge
reduction in remediation
costs post deployment.”
—Sujata Ramamoorthy, Director,
Information Security, Cisco
Solution components:
IBM® Security AppScan®
Standard
IBM Security AppScan
Enterprise
Freed security experts to focus on deep application vulnerability
assessments
Download the Complete Case Study
37
WGP03056-USEN-00
© 2013 IBM Corporation
38. IBM Security Systems
Related Webinar Available On Demand
Mobile Application Security and Data Protection Challenges
http://www-03.ibm.com/security/2013webinarseries/details/index.html
Securing mobile applications requires an understanding of the unique
characteristics of mobile computing. Addressing application security early in
the software development life cycle is even more important for mobile
applications. However securing mobile applications is different from
securing mobile devices. In this presentation Tom will highlight the mobile
security risks for end users and enterprises, show you some great
examples of simple but effective mobile threats, and discuss application
development steps every organization should take to protect their
customers and their company.
39
© 2013 IBM Corporation
39. IBM Security Systems
Additional Information
Documents
EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Apps
https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swgWW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W
AppScan Source Data Sheet
http://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF
AppScan Standard Data Sheet
http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF
AppScan Enterprise Data Sheet
ftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF
Posts
2013 Gartner Application Security Testing MQ and the Evolution of Software Security
http://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/
Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST)
http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/
Podcasts
2013 Gartner Magic Quadrant for Application Security Testing
http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing
Application + Threat + Security intelligence = Priceless
http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless
Taking Application Security from the Whiteboard to Reality
40
http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality
© 2013 IBM Corporation
40. IBM Security Systems
Videos
Overview of IBM Security AppScan
http://www.youtube.com/watch?v=9R4IjZpKt8I
How College Board is Building Security into Application Development
http://www.youtube.com/watch?v=TtqhlcTnbg8
Building Better, More Secure Applications
http://www.youtube.com/watch?v=UcN2uUolgKk
Using Application Security Testing to Increase Deployment Speed
http://www.youtube.com/watch?v=VImy3ilYUSk
IBM Security AppScan 8.7 for iOS mobile application support
http://www.youtube.com/watch?v=I73tbAmJIGw
IBM Security AppScan 8.7 for iOS Applications
http://www.youtube.com/watch?v=egnEH-GGQEI
IBM Security AppScan: Analysis Perspective
http://www.youtube.com/watch?v=UZD53ZgV848
41
© 2013 IBM Corporation
41. IBM Security Systems
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection
and response to improper access from within and outside your enterprise. Improper access can result in information being altered,
destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product
should be considered completely secure and no single product or security measure can be completely effective in preventing improper
access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve
additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT
WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational
purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages
arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the
effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the
applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services
do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in
these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to
be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are
© 2013 IBM Corporation
42 trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product,
or service names may be trademarks or service marks of others.
Notes de l'éditeur Advanced Security and Threat Research, which includes the X-Force team, is the foundation for many of the pillars in the security product portfolio.As the team tasked with staying on top of the latest threats and vulnerabilities, the information it provides is a critical aspect of providing protection to the other parts of the framework. The rest of this deck will talk to the specific capabilities of this team, as well as some specific integration points between the X-Force research and the products to which they add value. The way we are able to provide such broad coverage is through our research organizatoinThis represents about 6,000 people worldwideA big component of the research used in the XGS is from X-Force - Established in 1997 - Top engineers doing applied security research into attack trends and techniques and coming up with counter-measures - Also involves technology such as our web crawler, which is a key component to our reputation capabilitiesAlso includes data from other parts of IBM, such as our managed services org - 13B events every day across 133 countries drives intelligence (rep, vulns, etc.) that ends up in the productIn addition, IBM research is also constantly working on new innovations with a security slant, resulting in over 1000 patents to dateSo when a customer buys the XGS, they are essentially getting all of this research in a box 2012 was a record year for reported data breaches and security incidents, with a 40 percent increase in total volume over 2011.1 In the first half of 2013, security incidents have already surpassed the total number reported in 2011 and are on track to surpass 2012.This year kicked off with a number of high profile sophisticated attacks on major websites, media, and tech companies No single automated analysis technique can find all possible vulnerabilities. Each technique has its own strengths and blind spots, which is why a single point tool can leave you exposed.To find the most vulnerabilities, you should employ all the analysis techniques available today. IBM has combined a leading Static Analysis solution (developed by Ounce Labs) with a leading Dynamic Analysis solution (developed by Watchfire). IBM has combined these two established technologies, and has since added Hybrid analysis to combine and correlate their results. In 2011, IBM added new techniques for client-side analysis (aka Javascript Analyzer) and most recently run-time analysis (aka Glassbox).Static Analysis examines the source code for potential vulnerabilities. Static analysis can be used earlier in the development cycle, because you don’t need a running application. Static analysis can also produce a large volume of results, which can overwhelm development teams. Also, developers may question whether an identified vulnerability can be exploited (i.e. the “issue” could be mitigated somewhere else in the code, so it may not manifest itself as a true vulnerability).Dynamic Analysis tests a running application, by probing it in similar ways to what a hacker would use. With Dynamic Analysis results, it is easier to connect the vulnerability and a potential exploit. Dynamic Analysis is reliant on an ability to automatically traverse an application and test possible inputs. With Dynamic Analysis, the auditor is always asking “did I get proper test coverage”. Because Dynamic Analysis requires a running application, it typically cannot be used until an application is ready for functional testing (i.e. later in the development cycle).Hybrid Analysis brings together Dynamic and Static to correlate and verify the results. Issues identified using dynamic analysis can be traced to the offending line of code. Issues identified in static analysis can be validated with an external test.Client-side Analysis (aka JSA) analyzes code which is downloaded to the client. As more functionality is performed client-side, the prospect of client-side vulnerabilities and exploits increases. This capability, new in 2011, is unique in the market.Run-time Analysis (aka Glassbox) places a run-time agent on the application machine, and analyzes the application as it is being tested. This combines the aspects of Dynamic and Static analysis at run-time, finding more vulnerabilities with greater accuracy. Glassbox analysis was introduced in the most recent release of AppScan, at the end of 2011.