Static Application Security Testing (SAST) introduces challenges with existing Software Development Lifecycle Configurations. Strategies at different points of the SDLC improve deployment time, while still improving the quality and security of the deliverable. This session will discuss the different strategies that can be implemented for SAST within SDLC—strategies catering to developers versus security analysts versus release engineers. The strategies consider the challenges each team may encounter, allowing them to incorporate security testing without jeopardizing deadlines or existing process.

1. © 2014 IBM Corporation
Static Application Security
Testing Strategies for
Automation and Continuous
Delivery
Presented by Aspect Security and IBM

2. Presenters
Kevin Fealey
• Lead, Automation and Integration Services @ Aspect
Security
• 5+ years of experience with SAST and DAST tools
• @secfealz
William Frontiero
• IBMer
• Senior Worldwide Escalation Engineer AppScan Source
• 10 Years SDLC experience, including 2 years of SAST
tools
1

3. Takeaways
• What is SAST?
• Common SAST Usage
• SAST Automation
• Provide faster feedback to developers
• Simplify the security analysis workflow
• Incorporating Open Source Tools
• Looking at the AppScan SDK
• Jenkins Plugin
• Next Steps
• Improved AppScan Source API
• Application Server Importer
2

4. What is SAST and Why
Do We Need It?

5. Why do we need tools?
44
More apps to
review
Flat AppSec
budgets
A need for
scalable, efficient
solutions
Vulnerabilities
are being
introduced
This is starting to change, but slowly…

6. 5
When to Fix Security Issues
Fixing an issue in development is 30x cheaper than when it’s
in production!
5
$139.00
$1,390.00
$2,780.00
$4,170.00
$-
$500.00
$1,000.00
$1,500.00
$2,000.00
$2,500.00
$3,000.00
$3,500.00
$4,000.00
$4,500.00
Coding Testing Beta Release
Cost to Fix a Vulnerability
Depends on When it is Found

7. How SAST Works
6
DoPost() {
String username =
request.getParameter("username");
String password =
request.getParameter("password");
String query = "SELECT * from tUsers
where " + "userid='" + username + "' " +
"AND password='" + password + "'";
ResultSet rs =
stmt.executeQuery(query);
}
GetParam
ExecuteQuery
Str.Append
DoPost
DoPost
GetParam
Str.Append
ExecuteQuery
GetParam
ExecuteQuery
Str.Append
DoPost
Apply
vulnerability rules
Compile and translate

8. 7
SAST’s Benefits
• Static Application Security Testing (SAST)
• Analyzes applications at rest (source code/compiled
code)
• Automates code review… to a point
• Data/control flow analysis and advanced grep
• Ex. IBM Security AppScan Source
7
Strengths
• Can traverse millions of lines of code in hours
• If it can find one instance of an issue, it can find all
instances in the application
Weaknesses
• Application must build
• Lots of false-positives out-of-the-box

9. © 2014 IBM Corporation
Common SAST Usage

10. 9
Continuous Improvement Environment
9
CONFIGURE
TRIAGE
ASSIGNREMEDIATE
AppScan Source
•For Analysis
•For Development
•For Automation
AppScan Enterprise
AppScan Source
•For Remediation
•For Development
REPORT
High-confidence findings
>>
> > > > >
AppScan Source
•For Analysis
AppScan Source
•For Analysis
SCAN

11. Receive a source
code archive
Extract code and
import into
AppScan Source
Scan, resolve
compilation issues
(often many)
Triage scan
results
Export or write
report
Deliver Report
Begin again with a
new application
10
Security Analyst Workflow
Security Professionals using AppScan Source for Security:
10
Total time: 2-3 weeks / application
• Applications are scanned once per year or less
• Minimal carry-over for subsequent scans

12. Click scan
Wait for scan to
complete
Triage scan
results
Resolve
vulnerabilities
Check code into
central
repository
11
Developer Workflow
Any developer using AppScan Source for Development:
11
Total Time: ½ - 1 day
• Developers cannot develop while scanning (can take hours)
• Developers are not security experts
• Scan workflow interrupts agile workflows

13. SAST Automation

14. Automation Components
• Continuous Integration (CI) Server (ex. Jenkins)
• AppScan Source (or other SAST tool)
• AppScan Enterprise (or other Dashboard/Reporting tool)
• Source code repositories (SVN, ClearCase, git, etc.)
13
Example Architecture

15. 14
Security Analyst Workflow
Security Professionals using AppScan Source for Security:
First Scan:
14
Sync Code
Import into
AppScan
Source
Scan, resolve
compilation
issues
Configure scan
frequency in CI
server
Total time: 2-3 days
Subsequent Scans:
Log into CI
server
Click Scan
Download
assessment
file and triage
scan results
Total time: 1 day

16. 0
2
4
6
8
10
12
Current Workflow Automation Workflow
Days
Per Application
Subsequent Scans
Scan Configuration
Security Engineer Scan Workflow Time in Days
15

17. 16
Centralized Bundles
16
Use of a centralized environment drastically reduces the time
required for subsequent assessments.
Security Analyst
Only new findings
are triaged
(and bundled)
Scan Server
Scan Results
Downloaded
Triaged Scan Results
(Bundled)
Security Analyst
Subsequent Scans
Triaged
Results
Uploaded
Scan Results
Downloaded
New Vulnerabilities
Already Triaged
Initial Scan

18. 17
Developer Workflow
• Any Developer (IDE Plugin optional)
Total time: Minutes 17
Check code
into central
repository
Receive high-
confidence
findings via e-
mail
Resolve
vulnerabilities

19. 0
0.2
0.4
0.6
0.8
1
1.2
Current Workflow Automation Workflow
Days
Per Application
Developer
Developer Scan Workflow Time in Days
18

20. 19
Potential Scans Per Year
19
26
65
0
10
20
30
40
50
60
70
Current Workflow Automation Workflow
Applications
Workflow
Per Security Analyst
Security Analyst
(best case scenario)

21. Enterprise Rollout of AppScan Source: Strategy
20
Application Portfolio
Less CriticalMore Critical
Coverage/Assurance
Scan
Scan
Scan
FullScan/Review
Remediation
Guidance
IncreaseCoverage
ReduceRisk
• More time to review critical applications
• More time to find and fix complex issues

22. Improving Security Visibility
Business and
Executive Management
Software
Development Security
and Audit
Visibility
• Developers receive everything they need to resolve issues.
• Managers receive everything they need to make smart business
decisions.
• IT Security receives everything they need to understand
compliance risks.

23. Build/Release Engineer & Dev Ops
• Automate (CI/scripts) simple security checks before each CD release
• No security expertise required
– If certain vulnerability types are found, do not push release/notify stakeholders
– Only sees actionable results
• Iterative triage to accumulate vulnerable/trusted patterns and APIs
• Incremental vulnerability reporting
• Only investigate new vulnerabilities to reduce remediation time and focus
on what is new and relevant
22
Security

24. Demo

25. Scan With No Custom Rules
24

26. Automation Performed Through Jenkins
25

27. View of Custom Rules Created
26

28. Results
27

29. Jenkins Plugin

30. 29
Open Source Jenkins Plugin
• Available TODAY!
• As a work in progress 
• Developed by Aspect Security and IBM
• Hosted on GitHub
• https://github.com/aspectsecurity/sensor-integration-framework
29

31. Next Steps

32. 31
What’s Next?
• The AppScan Source SDK continues to improve
• Assessment Parsing for External tooling
• Viewing findings in Web Portal
• Diffing at the SDK level
• Improve Jenkins Plugin
• Support Additional Dashboard/Reporting Engines:
– Jenkins
– SonarQube
• AppScan Source App Server Importer Plugin Architecture
• Point and Shoot Discovery of EARs and WARs
• Discover Applications via Import
• Successive scans can be run via automation
31

33. Questions?

34. More Questions
William Frontiero: wfronti@us.ibm.com
Kevin Fealey: Kevin.Fealey@AspectSecurity.com
@secfealz
https://github.com/aspectsecurity/sensor-integration-framework
33

35. 34
Notices and Disclaimers
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or
transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been
reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM
shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express
or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss
of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted according to the terms
and conditions of the agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without
notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are
presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual
performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products,
programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not
necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither
intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal
counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s
business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or
represent or warrant that its services or products will ensure that the customer is in compliance with any law.

36. 35
Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products in connection with this
publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM expressly disclaims all warranties, expressed or implied, including but not limited
to, the implied warranties of merchantability and fitness for a particular purpose.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any
IBM patents, copyrights, trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document
Management System™, Global Business Services ®, Global Technology Services ®, Information on
Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower,
PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®,
PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS,
StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z®
Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other companies. A current list
of IBM trademarks is available on the Web at "Copyright and trademark information" at:
www.ibm.com/legal/copytrade.shtml.

37. Thank You
Your Feedback is
Important!
Access the InterConnect 2015
Conference CONNECT Attendee
Portal to complete your session
surveys from your smartphone,
laptop or conference kiosk.